Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8136442

Don't tie Certificate signature algorithms to ciphersuites

    Details

    • Subcomponent:
    • Resolved In Build:
      b96
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        Per TLS ECC spec [section 5.3, RFC 4492],

              ECDHE_ECDSA Certificate MUST contain an
                                      ECDSA-capable public key. It
                                      MUST be signed with ECDSA.

        With current JDK RSA signed EC-key certs cannot be used for ECDHE_ECDSA cipher suites.

        The restrictions on the algorithm used to sign certificates are relaxed
        in TLS 1.2 [RFC 5246]. Certificate signature algorithms are no longer
        tied to cipher suites. But we have not removed the restrictions in our
        implementation yet.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  xuelei Xue-Lei Fan
                  Reporter:
                  coffeys Sean Coffey
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: