RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v18]
Artur Barashev
abarashev at openjdk.org
Fri Mar 14 13:41:57 UTC 2025
On Thu, 13 Mar 2025 22:45:11 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Typo fix
>
> src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 198:
>
>> 196: this.host = hc.conContext.transport.getPeerHost();
>> 197: this.port = hc.conContext.transport.getPeerPort();
>> 198: this.localSupportedSignAlgs = hc.localSupportedCertSignAlgs == null ?
>
> Can we change `this.localSupportedSignAlgs` to something that reflects that it's cert signature algorithms? All the other uses in the PR that I've noticed have `localSupportedSignAlgs` set to handshake signature algorithms. It's confusing to this one set to the cert list. An alternative is to use "handshake" in the other variable names, but that is likely a bigger change.
Yes, I also thought about renaming session's `localSupportedSignAlgs` and `peerSupportedSignAlgs` variables, I'm on the fence about it. The thing is we don't really change anything about those variables: they will be used only for certificate's signature algorithm check just like before this change. And they were named this way initially although it was known they are to be used only for certificate signatures.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r1995602276
More information about the security-dev
mailing list