Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: P4
Fix Version/s: 26
Affects Version/s: 25
Component/s: security-libs
Labels:
None

Subcomponent:
javax.net.ssl
Resolved In Build:
b18

~~JDK-8349583~~ implementation assumes that OpenJDK client always sends "signature_algorithms_cert" extension together with "signature_algorithms" extension. But we didn't account for `jdk.tls.client.disableExtensions` and `jdk.tls.server.disableExtensions` system properties which can disable producing "signature_algorithms_cert" extension. This is an issue similar to ~~JDK-8355779~~ but on the extension producing side.

Per TLSv1.3 RFC:
   -------
   If no "signature_algorithms_cert" extension is
   present, then the "signature_algorithms" extension also applies to
   signatures appearing in certificates.
   -------

caused by

JDK-8349583 Add mechanism to disable signature schemes based on their TLS scope

Resolved

relates to

JDK-8355779 When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension

Closed

JDK-8217633 Configurable extensions with system properties

Resolved

JDK-8365955 Do not send signature_algorithms_cert extension if not required

Closed

links to

Commit(master) openjdk/jdk/569e7808

Review(master) openjdk/jdk/26887

(1 links to)

Assignee:: Artur Barashev
Reporter:: Artur Barashev
Votes:: 0 Vote for this issue
Watchers:: 4 Start watching this issue

Created:: 2025-08-19 13:09
Updated:: 2025-10-07 12:11
Resolved:: 2025-09-25 07:51

Details

Description

Attachments

Issue Links

Activity

People

Dates