RFR: 8210989 TLSv1.2 not authenticating using PSS certificates
Jamil Nimeh
jamil.j.nimeh at oracle.com
Tue Oct 16 16:24:23 UTC 2018
Yes, that seems like a good idea to do. I will add some comments
explaining the change.
--Jamil
On 10/15/2018 11:36 AM, Xuelei Fan wrote:
> Looks nice to me.
>
> To help to remember the decision, would you mind add a comment in the
> T12CertificateRequestConsumer.consume() block about why we don't use
> the CertificateRequest.certificate_types any more. Maybe, some words
> like, "Note that the certificate_types field is not used here. The
> supported_signature_algorithms field has provide sufficient information".
>
> Thanks,
> Xuelei
>
> On 10/7/2018 9:33 AM, Jamil Nimeh wrote:
>> Hello all, this fixes an issue where for TLSv1.2 connections
>> specifically, clients will not authenticate using PSS certs even when
>> PSS signature algorithms are asserted in the CertificateRequest
>> message. This brings in a method for client certificate selection
>> similar to how we do it for TLS 1.3. TLS 1.3, 1.1 and 1.0 client
>> certificate selection is not affected by this fix.
>>
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8210989
>>
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8210989/webrev.01/
>>
>> --Jamil
>>
More information about the security-dev
mailing list