JDK-8136442 : Don't tie Certificate signature algorithms to ciphersuites
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 9
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2015-09-14
  • Updated: 2016-06-13
  • Resolved: 2015-12-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
8u101Fixed 9 b96Fixed
Related Reports
Duplicate :  
Relates :  
Per TLS ECC spec [section 5.3, RFC 4492],

      ECDHE_ECDSA             Certificate MUST contain an
                              ECDSA-capable public key.  It
                              MUST be signed with ECDSA.

With current JDK RSA signed EC-key certs cannot be used for ECDHE_ECDSA cipher suites.

The restrictions on the algorithm used to sign certificates are relaxed
in TLS 1.2 [RFC 5246].  Certificate signature algorithms are no longer
tied to cipher suites.  But we have not removed the restrictions in our
implementation yet.
review thread : http://mail.openjdk.java.net/pipermail/security-dev/2015-November/013095.html