-
Bug
-
Resolution: Unresolved
-
P4
-
8, 11, 17, 23, 24
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
When connecting to an internal device with a JDK17 and TLS v1.2, the handshake fails with this error:
No supported CertificateVerify signature algorithm for EC key
My key uses the EC "secp256r1", and the negociated signature algorithm is "ecdsa_secp384r1_sha384". The CertificateVerity stage fails because the "ecdsa_secp384r1_sha384" can't be used with the named group "secp256r1". I see in the log:
Ignore the signature algorithm (ecdsa_secp384r1_sha384), unsupported EC parameter spec: secp256r1
cf https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java#L503
When I try to connect to this device with openssl and the same certificate/pkey, It works without any issue.
In tlsv1.2, it seem to be legal to use ecdsa_secp384r1_sha384 with a secp256r1 key (but not in tlsv1.3)
FREQUENCY : always
When connecting to an internal device with a JDK17 and TLS v1.2, the handshake fails with this error:
No supported CertificateVerify signature algorithm for EC key
My key uses the EC "secp256r1", and the negociated signature algorithm is "ecdsa_secp384r1_sha384". The CertificateVerity stage fails because the "ecdsa_secp384r1_sha384" can't be used with the named group "secp256r1". I see in the log:
Ignore the signature algorithm (ecdsa_secp384r1_sha384), unsupported EC parameter spec: secp256r1
cf https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java#L503
When I try to connect to this device with openssl and the same certificate/pkey, It works without any issue.
In tlsv1.2, it seem to be legal to use ecdsa_secp384r1_sha384 with a secp256r1 key (but not in tlsv1.3)
FREQUENCY : always
- relates to
-
-
- Closed
-