Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: P4
Fix Version/s: tbd
Affects Version/s: 25
Component/s: security-libs
Labels:
None

Subcomponent:
javax.net.ssl
Understanding:
Cause Known

~~JDK-8349583~~ implementation assumes that OpenJDK client always sends "signature_algorithms_cert" extension together with "signature_algorithms" extension. But we didn't account for `jdk.tls.client.disableExtensions` and `jdk.tls.server.disableExtensions` system properties which can disable producing "signature_algorithms_cert" extension. This is an issue similar to ~~JDK-8355779~~ but on the extension producing side.

Per TLSv1.3 RFC:
   -------
   If no "signature_algorithms_cert" extension is
   present, then the "signature_algorithms" extension also applies to
   signatures appearing in certificates.
   -------

caused by

JDK-8349583 Add mechanism to disable signature schemes based on their TLS scope

Resolved

relates to

JDK-8355779 When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension

Closed

JDK-8217633 Configurable extensions with system properties

Resolved

Assignee:: Artur Barashev

Reporter:: Artur Barashev

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2 days ago 13:09

Updated:: 3 hours ago

Details

Description

Attachments

Issue Links

Activity

People

Dates