You should change the comment above the calls to setupPrivateKeyAndChain
as it still reflects the previous behavior. Also, should this change
only be applicable to TLS 1.2?
--Sean
On 11/29/2015 08:55 AM, Xuelei Fan wrote:
Hi,
Please review the fix for JDK-8136442:
http://cr.openjdk.java.net/~xuelei/8136442/webrev.00/
This update is proposing to remove the certificate signature algorithms
restrictions on cipher suites.
Per TLS ECC spec [section 5.3, RFC 4492],
ECDHE_ECDSA Certificate MUST contain an ECDSA-capable public key.
It MUST be signed with ECDSA.
RSA signed EC-key certs cannot be used for ECDHE_ECDSA cipher suites.
That's the current implementation.
However, the restrictions on the algorithm used to sign certificates are
relaxed in TLS 1.2 [RFC 5246]. Certificate signature algorithms are no
longer tied to cipher suites. But we have not removed the restrictions
in our implementation yet.
As this is a straightforward and simple fix, no new test case is planed.
Thanks,
Xuelei
