JDK-8349583 : Add mechanism to disable signature schemes based on their TLS scope
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2025-02-06
  • Updated: 2025-05-15
  • Resolved: 2025-03-31
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 21 JDK 25 JDK 8
11.0.29-oracleUnresolved 17.0.17-oracleUnresolved 21.0.9-oracleFixed 25 b17Fixed 8u471Unresolved
Related Reports
Blocks :  
JDK-8340321 - Disable SHA-1 in TLS/DTLS 1.2 handshake signatures
CSR :  
JDK-8350902 - Add mechanism to disable signature schemes based on their TLS scope
Relates :  
JDK-8355779 - When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension
Relates :  
JDK-8353113 - Peer supported certificate signature algorithms are not being checked with default SunX509 key manager
Relates :  
JDK-8350807 - Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled
Sub Tasks
JDK-8353289 :  
Release Note: Mechanism to Disable Signature Schemes Based on their TLS Scope - Resolved
Description
Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates:
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
Comments
Changeset: 9c06dcb4 Branch: master Author: Artur Barashev <abarashev@openjdk.org> Date: 2025-03-31 16:45:40 +0000 URL: https://git.openjdk.org/jdk/commit/9c06dcb4396c3307d625663d92c0e11d794a56ea
31-03-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/23681 Date: 2025-02-18 21:41:58 +0000
18-02-2025