Bug ID: JDK-8280494 (D)TLS signature schemes

JDK-8280494 : (D)TLS signature schemes

Type: Enhancement
Component: security-libs
Sub-Component: javax.net.ssl

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2022-01-22
Updated: 2024-02-20
Resolved: 2022-03-09

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 19
19 b14Fixed

Related Reports

CSR :	JDK-8280495 - (D)TLS signature schemes
Duplicate :	JDK-8229720 - New JSSE APIs to configure named groups and signature algorithms
Relates :	JDK-8293956 - Update description of SSLParameters Class in the JSSE Reference Guide
Relates :	JDK-8326317 - HttpClient: Utils.copySSLParameters() should consider the signatureSchemes and namedGroups of the SSLParameters
Relates :	JDK-8280493 - (D)TLS signature schemes

Sub Tasks

JDK-8281290 :

Release Note: (D)TLS Signature Schemes - Closed

Description

In a (D)TLS connection, the client and server may support different signature algorithms. (D)TLS specifications (see RFC 8446 and RFC 5246) define the procedure to negotiate the signature algorithms that could be used in digital signatures during the negotiation of (D)TLS connections.

In JEP 332: Transport Layer Security (TLS) 1.3 and the follow-on enhancements, JDK implemented the procedure and essential signature schemes. And in JDK-8242141, in order to configure the default signature schemes, the jdk.tls.client.SignatureSchemes System Property was added for the TLS client side configuration, and the jdk.tls.server.SignatureSchemes System Property was added for the server side configuration.

Rather than using the provider default signature schemes, applications may want to customize the signature schemes for individual connections, for fine control of the security properties. New APIs are need to support this flexibility.

Comments

Changeset: 6d8d156c Author: Xue-Lei Andrew Fan <xuelei@openjdk.org> Date: 2022-03-09 16:11:07 +0000 URL: https://git.openjdk.java.net/jdk/commit/6d8d156c97b90a9ab4776c6b42563a962d959741

09-03-2022

In the description, it says to read the Withdrawn JEP, but there is now a CSR. Can you update the description with a few more details and point to the CSR instead?

03-02-2022

A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk/pull/7252 Date: 2022-01-27 22:06:21 +0000

27-01-2022