JDK-8136442 : Don't tie Certificate signature algorithms to ciphersuites
- Type: Bug
- Component: security-libs
- Sub-Component: javax.net.ssl
- Affected Version: 9
- Priority: P3
- Status: Closed
- Resolution: Fixed
- OS: generic
- CPU: generic
- Submitted: 2015-09-14
- Updated: 2016-06-13
- Resolved: 2015-12-01
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 8 | JDK 9 |
|---|---|
8u101Fixed  |
9 b96Fixed |
Related Reports
|
Duplicate :
|
|
|
Relates :
|
Description
Per TLS ECC spec [section 5.3, RFC 4492],
ECDHE_ECDSA Certificate MUST contain an
ECDSA-capable public key. It
MUST be signed with ECDSA.
With current JDK RSA signed EC-key certs cannot be used for ECDHE_ECDSA cipher suites.
The restrictions on the algorithm used to sign certificates are relaxed
in TLS 1.2 [RFC 5246]. Certificate signature algorithms are no longer
tied to cipher suites. But we have not removed the restrictions in our
implementation yet.
Comments
|