RFR: 8373408: SHA1withECDSA is not required for ECDHE and ECDSA
Hai-May Chao
hchao at openjdk.org
Wed Jan 21 21:20:02 UTC 2026
On Tue, 13 Jan 2026 10:59:39 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
>> SunJSSE should not probe SHA1withECDSA signature availably when determining if elliptic curve cryptography is available, as it is deprecated and not required for ECDHE and ECDSA signature schemes. This change removes SHA1withECDSA from the EC availability probe. TLS signature scheme availability is validated later during handshake negotiation.
>
> LGTM.
>
> SHA1withECDSA (`SIGNATURE_ECDSA`) is required for ECDHE_ECDSA in TLS 1.1 and older. Starting with TLS 1.2, there are several hash algorithms available to choose from, and SHA1 is no longer required.
@djelinski @ascarpino Thanks for the review!
-------------
PR Comment: https://git.openjdk.org/jdk/pull/29184#issuecomment-3781207248
More information about the security-dev
mailing list