JDK-8210989 : RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 11,12
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2018-09-21
  • Updated: 2020-11-20
  • Resolved: 2018-10-16
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 8 Other
11.0.3Fixed 12 b16Fixed 8u261Fixed openjdk8u272Fixed
Related Reports
Relates :  
On TLSv1.2, if server requires client auth and client uses RSASSA-PSS certificate (exactly, signature algorithm is rsa_pss_pss_xxx), the certificate would not be selected by the client.
Fix Request - Justification: This issue can cause failures in clients possessing only certificates using RSASSA-PSS signatures or subject public keys when the TLS 1.2 protocol has been negotiated and client certificate authentication is necessary. This scenario will become more common now that TLS 1.3 is supported in most major TLS implementations. ���- Risk Analysis: ���This requires the addition of a method very similar to the certificate selection code for TLS 1.3. This only affects the TLS 1.2 protocol's processing of the CertificateRequest message. This has been tested manually and via SQE tests. - Patch Application: This patch applies without error to jdk11u. - Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8210989/webrev.01/ - Testing: Manual testing has been done to verify the fix as well as running the above mentioned SQE tests which have the RSASSA-PSS tests reinstated. - Back ports: we wish to get this into 11.0.2 if possible.

Adding a private method for SSLPossession selection similar to how we do things with TLS 1.3 appears to solve the problem. This is added to the TLS 1.2 CR consumer.