JDK-8260300 : Restrict TLS signature schemes in 8u
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8u261
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2021-01-22
  • Updated: 2021-07-01
  • Resolved: 2021-04-20
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8
8u291Fixed
Related Reports
CSR :  
JDK-8264560 - Restrict TLS signature schemes in 8u
Duplicate :  
JDK-8257606 - SSLHandshakeException: Cannot produce CertificateVerify signature
Relates :  
JDK-8171279 - Support X25519 and X448 in TLS
Relates :  
JDK-8226374 - Restrict TLS signature schemes and named groups
Description
The issue is due to the inability of 3rd party provider (nCipher) on RSASAA-PSS. Currently, in 8u,11u we don't have a mechanism to disable RSASSA-PSS SignatureSchemes in CertificateVerify.
Comments
To disable RSASSA-PSS signature schemes, due to issues in 3rd party providers/ application, JDK-8226374 backport would help in 11u and 8u releases.
23-03-2021
nCipher added support/ fixed issues related to RSASSA-PSS in 12.60.11. Release notes snippet Changes since V12.60.11 ----------------------- - Support RSASSA-PSS algorithm in JCE - Lower restrictions on external keys for JCE HMAC implementation
23-03-2021