Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8245626

New System Properties to configure the TLS signature schemes

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 11.0.8
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      No expected compatibility risks
    • Interface Kind:
      System or security property
    • Scope:
      JDK

      Description

      Summary

      Request to add new System Properties for customizing signature schemes in TLS connections in JDK. No changes from JDK 15, CSR JDK-8242145.

      Problem

      A third party's TLS implementation may not be able to handle a certain signature schemes, and cannot interop with JDK. Although the implementation does not comply to TLS specifications, the impact could be significant if an application that uses the implementation is popular.

      Solution

      A workaround to customize the signature schemes is needed to interop with third party's TLS implementation.

      As old releases are also impacted, the update should be able to be backported to JDK 8 and 11 as well.

      With this update, two System Properties will be added to customize the signature schemes used in the SunJSSE provider.

      Specification

      New System Property: jdk.tls.client.SignatureSchemes

      This System Property contains a comma-separated list of supported signature scheme names, which specifying the signature schemes that could be used in TLS client side. The names are not case-sensitive and described in the "Signature Schemes"section of the Java Security Standard Algorithm Names Specification. Unrecognized or unsupported signature scheme names specified in the property are ignored.

      If the System Property value is not defined (JDK default value) or empty, the provider-specific default is used.

      New System Property: jdk.tls.server.SignatureSchemes

      This System Property contains a comma-separated list of supported signature scheme names, which specifying the signature schemes that could be used in TLS server side. The names are not case-sensitive and described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification. Unrecognized or unsupported signature scheme names specified in the property are ignored.

      If the System Property value is not defined (JDK default value) or empty, the provider-specific default is used.

      Documentation the System Properties in the JSSE Reference Guide.

      Note that the System Properties are currently used by the SunJSSE provider, but it is not guaranteed to be examined and used by other implementations. If it is examined by another implementation, then that implementation should handle it in the same manner as the SunJSSE provider does.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mbaesken Matthias Baesken
                Reporter:
                xuelei Xue-Lei Fan
                Reviewed By:
                Christoph Langer
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: