RFR: JDK-8211866 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
Jamil Nimeh
jamil.j.nimeh at oracle.com
Thu Oct 11 17:11:38 UTC 2018
Hello all,
This fixes an issue with the TLS 1.3 CertificateRequest message. In
cases where the server side can initially support multiple protocol
versions by the time it issues a CertificateRequest message it collects
the list of supported signature schemes for the signature_algorithms and
signature_algorithms_cert extensions using all supported protocols as a
filtering mechanism.
This change alters the filtering process to use only the negotiated
protocol, so only those sig algs allowed for that one protocol version
will be asserted.
Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8211866/webrev.01/
JBS: https://bugs.openjdk.java.net/browse/JDK-8211866
More information about the security-dev
mailing list