Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8136442

Don't tie Certificate signature algorithms to ciphersuites

    XMLWordPrintable

Details

    • b96
    • generic
    • generic

    Backports

      Description

        Per TLS ECC spec [section 5.3, RFC 4492],

              ECDHE_ECDSA Certificate MUST contain an
                                      ECDSA-capable public key. It
                                      MUST be signed with ECDSA.

        With current JDK RSA signed EC-key certs cannot be used for ECDHE_ECDSA cipher suites.

        The restrictions on the algorithm used to sign certificates are relaxed
        in TLS 1.2 [RFC 5246]. Certificate signature algorithms are no longer
        tied to cipher suites. But we have not removed the restrictions in our
        implementation yet.

        Attachments

          Issue Links

            Activity

              People

                xuelei Xuelei Fan
                coffeys Sean Coffey
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: