JDK-8345277 : TLSv1.2 - unable to sign a secp256r1 key with ecdsa_secp384r1_sha384
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8
  • Priority: P4
  • Status: In Progress
  • Resolution: Unresolved
  • OS: generic
  • CPU: generic
  • Submitted: 2024-12-01
  • Updated: 2025-04-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdUnresolved
Related Reports
Relates :  
JDK-8225766 - Curve in certificate should not affect signature scheme when using TLSv1.3
Description
A DESCRIPTION OF THE PROBLEM :
When connecting to an internal device with a JDK17 and TLS v1.2, the handshake fails with this error:

No supported CertificateVerify signature algorithm for EC key

My key uses the EC "secp256r1", and the negociated signature algorithm is "ecdsa_secp384r1_sha384". The CertificateVerity stage fails because the "ecdsa_secp384r1_sha384" can't be used with the named group "secp256r1". I see in the log:

Ignore the signature algorithm (ecdsa_secp384r1_sha384), unsupported EC parameter spec: secp256r1

cf https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java#L503

When I try to connect to this device with openssl and the same certificate/pkey, It works without any issue.
In tlsv1.2, it seem to be legal to use ecdsa_secp384r1_sha384 with a secp256r1 key (but not in tlsv1.3)



FREQUENCY : always
Comments
[~tongwan] The provided OpenSSL output doesn't list the exact signature schemes sent by the client, it only lists the type of the signature: `Requested Signature Algorithms: ECDSA+SHA384`. - Please ask the submitter to provide the `java.security` config file being used by OpenJDK TLS client. It's possible "ecdsa_secp256r1_sha256" signature scheme is disabled on the client side. - Also please ask the submitter to explain on which RFC the following statement is based: In tlsv1.2, it seem to be legal to use ecdsa_secp384r1_sha384 with a secp256r1 key (but not in tlsv1.3)
20-03-2025
Requested more information of signature schemes from the submitter.
16-03-2025
[~tongwan] This doesn't seem to be connected to JDK-8225766. It looks like the only negotiated signature scheme doesn't match the algorithm of the certificate's signing key, which is the same logic for TLSv1.3 and for TLSv1.2. I have a question for the submitter of this issue: What are the signature schemes sent by the openssl client? I would guess openssl sends "ecdsa_secp256r1_sha256" which is the one matching the certificate's algorithm.
14-03-2025
This issue looks like related to JDK-8225766.
02-12-2024