JDK-8260300 : Restrict TLS signature schemes in 8u
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed. Resolved: Release in which this issue/RFE has been resolved. Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
The issue is due to the inability of 3rd party provider (nCipher) on RSASAA-PSS. Currently, in 8u,11u we don't have a mechanism to disable RSASSA-PSS SignatureSchemes in CertificateVerify.
To disable RSASSA-PSS signature schemes, due to issues in 3rd party providers/ application, JDK-8226374 backport would help in 11u and 8u releases.
nCipher added support/ fixed issues related to RSASSA-PSS in 12.60.11. Release notes snippet
Changes since V12.60.11
- Support RSASSA-PSS algorithm in JCE
- Lower restrictions on external keys for JCE HMAC implementation