JDK-8242145 : New System Properties to configure the TLS signature schemes
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 15
  • Submitted: 2020-04-03
  • Updated: 2020-04-21
  • Resolved: 2020-04-21
Related Reports
CSR :  
Description
Summary
-------
Request to add new System Properties for customizing signature schemes in TLS connections in JDK.

Problem
-------
A third party's TLS implementation may not be able to handle a certain signature schemes, and cannot interop with JDK.  Although the implementation does not comply to TLS specifications, the impact could be significant if an application that uses the implementation is popular.

Solution
--------
A workaround to customize the signature schemes is needed to interop with third party's TLS implementation.

As old releases are also impacted, the update should be able to be backported to JDK 8 and 11 as well.

With this update, two System Properties will be added to customize the signature schemes used in the SunJSSE provider.

Specification
-------------
1. New System Property: jdk.tls.client.SignatureSchemes

    This System Property contains a comma-separated list of supported signature scheme names, which specifying the signature schemes that could be used in TLS client side.  The names are not case-sensitive and described in the "Signature Schemes"section of the Java Security Standard Algorithm Names Specification.  Unrecognized or unsupported signature scheme names specified in the property are ignored.

   If the System Property value is not defined (JDK default value) or empty, the provider-specific default is used.


2. New System Property: jdk.tls.server.SignatureSchemes

    This System Property contains a comma-separated list of supported signature scheme names, which specifying the signature schemes that could be used in TLS server side.  The names are not case-sensitive and described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.  Unrecognized or unsupported signature scheme names specified in the property are ignored.

   If the System Property value is not defined (JDK default value) or empty, the provider-specific default is used.

3. Documentation the System Properties in the JSSE Reference Guide.

Note that the System Properties are currently used by the SunJSSE provider, but it is not guaranteed to be examined and used by other implementations. If it is examined by another implementation, then that implementation should handle it in the same manner as the SunJSSE provider does.

Comments
Moving to Approved.
21-04-2020

> Besides the release note, how are these new properties going to be documented? The properties will be documented in "Table 8-3 System Properties and Customized Items" in the "Customizing JSSE" section of the JSSE reference Guides. https://docs.oracle.com/en/java/javase/14/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9 I added the securitydocs tag in the release note and bug entries, and a documentation item in the Specification section in this CSR.
16-04-2020

Moving to Provisional. Besides the release note, how are these new properties going to be documented?
16-04-2020