-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
None
-
None
The TLS 1.3 spec says that the signature_algorithms_cert defaults to the algorithms configured in signature_algorithms; we could could send signature_algorithms alone unless we're configured to permit different algorithms in both cases.
As one specific example, currently for TLS 1.3 handshakes we remove the RSA_PKCS1 signature schemes from signature_algorithms and only send them in signature_algorithms_cert. However, the spec permits sending RSA_PKCS1 algorithms in signature_algorithms, and some existing TLS implementations do that to avoid sending both extensions.
As one specific example, currently for TLS 1.3 handshakes we remove the RSA_PKCS1 signature schemes from signature_algorithms and only send them in signature_algorithms_cert. However, the spec permits sending RSA_PKCS1 algorithms in signature_algorithms, and some existing TLS implementations do that to avoid sending both extensions.
- relates to
-
JDK-8365820 Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent
-
- In Progress
-