RFR: 8210989 TLSv1.2 not authenticating using PSS certificates

Xuelei Fan xuelei.fan at oracle.com
Mon Oct 15 18:36:43 UTC 2018


Looks nice to me.

To help to remember the decision, would you mind add a comment in the 
T12CertificateRequestConsumer.consume() block about why we don't use the 
CertificateRequest.certificate_types any more.  Maybe, some words like, 
"Note that the certificate_types field is not used here. The 
supported_signature_algorithms field has provide sufficient information".

Thanks,
Xuelei

On 10/7/2018 9:33 AM, Jamil Nimeh wrote:
> Hello all, this fixes an issue where for TLSv1.2 connections 
> specifically, clients will not authenticate using PSS certs even when 
> PSS signature algorithms are asserted in the CertificateRequest 
> message.  This brings in a method for client certificate selection 
> similar to how we do it for TLS 1.3.  TLS 1.3, 1.1 and 1.0 client 
> certificate selection is not affected by this fix.
> 
> JBS: https://bugs.openjdk.java.net/browse/JDK-8210989
> 
> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8210989/webrev.01/
> 
> --Jamil
> 



More information about the security-dev mailing list