Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8226374

Restrict TLS signature schemes and named groups

XMLWordPrintable

    • b10
    • x86_64
    • windows_7

        A DESCRIPTION OF THE PROBLEM :
        We are trying to disable RSASSA-PSS, because it is not supported in the JCE PKCS11 wrapper, and causes errors when setting up TLS1.2 errors.
        It is possible to do this using jdk.tls.disabledAlgorithms with RSASSA-PSS, if this is done on both sides (client & server).
        But if this is done only on the client side, which means the server still gives RSASSA-PSS as one of the options in it's CertificateRequest message, the client will still choose RSASSA-PSS and fail.

        I think the core of the problem lies within the CertificateVerify.T12CertificateVerifyMessage constructor, which selects the signature algorithm as follows:
                    this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
                            chc.peerRequestedSignatureSchemes,
                            x509Possession.popPrivateKey,
                            chc.negotiatedProtocol);

        chc.peerRequestedSignatureSchemes holds -all- algorithms sent by the server in it's CertificateRequest message. Disabled algorithms are not filtered out.
        The getPreferableAlgorithm method also does not consider disabled algorithms.


        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Set up TLS 1.2 client with jdk.tls.disabledAlgorithms with RSASSA-PSS
        Set up TLS 1.2 server which does not have RSASSA-PSS disabled
        Connect the client to the server.



        FREQUENCY : always


              xuelei Xuelei Fan
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: