JDK-8349583 : Add mechanism to disable signature schemes based on their TLS scope
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 7
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2025-02-06
  • Updated: 2025-08-19
  • Resolved: 2025-03-31
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 21 JDK 25 JDK 8
11.0.29-oracleFixed 17.0.17-oracleFixed 21.0.9-oracleFixed 25 b17Fixed 8u471Fixed
Related Reports
Blocks :  
JDK-8340321 - Disable SHA-1 in TLS/DTLS 1.2 handshake signatures
CSR :  
JDK-8350902 - Add mechanism to disable signature schemes based on their TLS scope
Causes :  
JDK-8355779 - When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension
Causes :  
JDK-8365820 - Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent
Relates :  
JDK-8353113 - Peer supported certificate signature algorithms are not being checked with default SunX509 key manager
Relates :  
JDK-8350807 - Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled
Sub Tasks
JDK-8353289 :  
Release Note: Mechanism to Disable Signature Schemes Based on Their TLS Scope - Resolved
Description
Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates:
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
Comments
Fix request [17u] I backport this for parity with 17.0.17-oracle based on the commit to 21. Medium risk, larger change to important component. We should not fall back wrt. to functionality here, though. Resolves needed. Tests pass.
05-08-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk17u-dev/pull/3810 Date: 2025-08-04 10:25:27 +0000
05-08-2025
Fix request [21u] I backport this for parity with 21.0.9-oracle. Medium risk, new, larger feature in important component. We should go along anyways, esp. as there is a release note. Resolved copyright, clean anyways. Tests pass. SAP nightly testing passed.
02-08-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/2027 Date: 2025-08-01 12:17:39 +0000
01-08-2025
Changeset: 9c06dcb4 Branch: master Author: Artur Barashev <abarashev@openjdk.org> Date: 2025-03-31 16:45:40 +0000 URL: https://git.openjdk.org/jdk/commit/9c06dcb4396c3307d625663d92c0e11d794a56ea
31-03-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/23681 Date: 2025-02-18 21:41:58 +0000
18-02-2025