On 11/30/2015 8:45 PM, Sean Mullan wrote: > You should change the comment above the calls to setupPrivateKeyAndChain > as it still reflects the previous behavior. Oops, forgot the update the comment.
Updated: http://cr.openjdk.java.net/~xuelei/8136442/webrev.01/ > Also, should this change only be applicable to TLS 1.2? > TLS 1.2 updates the spec (RFC 4279). The update can be applied to TLS 1.0 and 1.1, too. Thanks, Xuelei > --Sean > > On 11/29/2015 08:55 AM, Xuelei Fan wrote: >> Hi, >> >> Please review the fix for JDK-8136442: >> >> http://cr.openjdk.java.net/~xuelei/8136442/webrev.00/ >> >> This update is proposing to remove the certificate signature algorithms >> restrictions on cipher suites. >> >> Per TLS ECC spec [section 5.3, RFC 4492], >> >> ECDHE_ECDSA Certificate MUST contain an ECDSA-capable public key. >> It MUST be signed with ECDSA. >> >> RSA signed EC-key certs cannot be used for ECDHE_ECDSA cipher suites. >> That's the current implementation. >> >> However, the restrictions on the algorithm used to sign certificates are >> relaxed in TLS 1.2 [RFC 5246]. Certificate signature algorithms are no >> longer tied to cipher suites. But we have not removed the restrictions >> in our implementation yet. >> >> As this is a straightforward and simple fix, no new test case is planed. >> >> Thanks, >> Xuelei >>
