RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v18]
Anthony Scarpino
ascarpino at openjdk.org
Thu Mar 13 22:48:54 UTC 2025
On Wed, 12 Mar 2025 17:26:30 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates:
>> https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Typo fix
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 198:
> 196: this.host = hc.conContext.transport.getPeerHost();
> 197: this.port = hc.conContext.transport.getPeerPort();
> 198: this.localSupportedSignAlgs = hc.localSupportedCertSignAlgs == null ?
Can we change `this.localSupportedSignAlgs` to something that reflects that it's cert signature algorithms? With many places having both `localSupportedSignAlgs` and `localSupportedCertSignAlgs`, it's confusing to see the non-cert variable set to the cert list.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r1994391497
More information about the security-dev
mailing list