RFR: JDK-8211866 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms

Jamil Nimeh jamil.j.nimeh at oracle.com
Tue Oct 16 16:29:24 UTC 2018


Thanks for the review.  Yes, those lines below can be brought up into 
one line.  I'll get that fixed up.

Thanks,
--Jamil

On 10/15/2018 8:52 PM, Xuelei Fan wrote:
> Looks fine to me.
>
>
> Can the following two lines joined into one?  Looks like the length 
> does not exceed 80 characters.
>
>      int vectorLen = SignatureScheme.sizeInRecord() *
>                    sigAlgs.size();
>
> Thanks,
> Xuelei
>
> On 10/11/2018 10:11 AM, Jamil Nimeh wrote:
>> Hello all,
>>
>> This fixes an issue with the TLS 1.3 CertificateRequest message. In 
>> cases where the server side can initially support multiple protocol 
>> versions by the time it issues a CertificateRequest message it 
>> collects the list of supported signature schemes for the 
>> signature_algorithms and signature_algorithms_cert extensions using 
>> all supported protocols as a filtering mechanism.
>>
>> This change alters the filtering process to use only the negotiated 
>> protocol, so only those sig algs allowed for that one protocol 
>> version will be asserted.
>>
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8211866/webrev.01/
>>
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8211866
>>




More information about the security-dev mailing list