RFR: 8373408: SHA1withECDSA is not required for ECDHE and ECDSA
Daniel Jeliński
djelinski at openjdk.org
Tue Jan 13 11:03:09 UTC 2026
On Tue, 13 Jan 2026 07:47:15 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
> SunJSSE should not probe SHA1withECDSA signature availably when determining if elliptic curve cryptography is available, as it is deprecated and not required for ECDHE and ECDSA signature schemes. This change removes SHA1withECDSA from the EC availability probe. TLS signature scheme availability is validated later during handshake negotiation.
LGTM.
SHA1withECDSA (`SIGNATURE_ECDSA`) is required for ECDHE_ECDSA in TLS 1.1 and older. Starting with TLS 1.2, there are several hash algorithms available to choose from, and SHA1 is no longer required.
-------------
Marked as reviewed by djelinski (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/29184#pullrequestreview-3655185613
More information about the security-dev
mailing list