RFR: JDK-8211866 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
Jamil Nimeh
jamil.j.nimeh at oracle.com
Tue Oct 16 16:29:24 UTC 2018
Thanks for the review. Yes, those lines below can be brought up into
one line. I'll get that fixed up.
Thanks,
--Jamil
On 10/15/2018 8:52 PM, Xuelei Fan wrote:
> Looks fine to me.
>
>
> Can the following two lines joined into one? Looks like the length
> does not exceed 80 characters.
>
> int vectorLen = SignatureScheme.sizeInRecord() *
> sigAlgs.size();
>
> Thanks,
> Xuelei
>
> On 10/11/2018 10:11 AM, Jamil Nimeh wrote:
>> Hello all,
>>
>> This fixes an issue with the TLS 1.3 CertificateRequest message. In
>> cases where the server side can initially support multiple protocol
>> versions by the time it issues a CertificateRequest message it
>> collects the list of supported signature schemes for the
>> signature_algorithms and signature_algorithms_cert extensions using
>> all supported protocols as a filtering mechanism.
>>
>> This change alters the filtering process to use only the negotiated
>> protocol, so only those sig algs allowed for that one protocol
>> version will be asserted.
>>
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8211866/webrev.01/
>>
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8211866
>>
More information about the security-dev
mailing list