RSASSA-PSS support for TLS 1.3

amol borole amol.borole at gmail.com
Wed Feb 22 20:14:16 UTC 2023


Hello,

When using TLS 1.3 and certificate generated by the keytool command like
'keytool -genkey -keyalg RSASSA-PSS ..." , it gets the same error
'javax.net.ssl.SSLHandshakeException:
No available authentication scheme' as listed in
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8211426.

This handshake errors with RSASSA-PSS certificates has been seen in OpenJDK
1.8.0.342-b07 as well as in OpenJDK 19.0.2+7-44. So question is
whether RSASSA-PSS is supported for TLS 1.3 at all? Which OpenJDK versions
claim TLS 1.3 support for RSASSA-PSS certificates? Is it possible support
was added in intermediate versions like 11 or 12 but not in the latest
version 19?

Note: No handshake errors if RSA/ECDSA certificates (also generated using
keytool) are used with TLS 1.3, those certificates seem to work fine in all
JDK versions.

Thanks,
Amol.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230222/b65f289b/attachment.htm>


More information about the security-dev mailing list