RFR: 8351354: Enhance java -XshowSettings:security:tls to show enabled TLS groups and signature algorithms [v2]
Hai-May Chao
hchao at openjdk.org
Fri Aug 1 19:11:01 UTC 2025
On Fri, 1 Aug 2025 15:28:01 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> Thanks for the latest screenshot. I don't think the signature algorithms should be "none". If we can't access the provider-specific defaults, then I think we should omit this information for now. @artur-oracle or @haimaychao can you check this out and see if there is a way to get those defaults? Thanks.
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/javax/net/ssl/SSLParameters.java#L852
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/javax/net/ssl/SSLParameters.java#L868
So if we never call `setSignatureSchemes()` on the `SSLParameters`, then `getSignatureSchemes()` will return null. But it doesn't mean no signature schemes are used, and it means underlying provider-specific default signature schemes will be used over the TLS connections. We may use `System.getProperty("jdk.tls.client.SignatureSchemes")`, but it works if the property has been set. It seems no public API we can use to query it directly.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/24424#issuecomment-3145519481
More information about the security-dev
mailing list