Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8136442

Don't tie Certificate signature algorithms to ciphersuites

XMLWordPrintable

    • b96
    • generic
    • generic

        Per TLS ECC spec [section 5.3, RFC 4492],

              ECDHE_ECDSA Certificate MUST contain an
                                      ECDSA-capable public key. It
                                      MUST be signed with ECDSA.

        With current JDK RSA signed EC-key certs cannot be used for ECDHE_ECDSA cipher suites.

        The restrictions on the algorithm used to sign certificates are relaxed
        in TLS 1.2 [RFC 5246]. Certificate signature algorithms are no longer
        tied to cipher suites. But we have not removed the restrictions in our
        implementation yet.

              xuelei Xuelei Fan
              coffeys Sean Coffey
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: