Yes, that seems like a good idea to do. I will add some comments
explaining the change.
--Jamil
On 10/15/2018 11:36 AM, Xuelei Fan wrote:
Looks nice to me.
To help to remember the decision, would you mind add a comment in the
T12CertificateRequestConsumer.consume() block about why we don't use
the CertificateRequest.certificate_types any more. Maybe, some words
like, "Note that the certificate_types field is not used here. The
supported_signature_algorithms field has provide sufficient information".
Thanks,
Xuelei
On 10/7/2018 9:33 AM, Jamil Nimeh wrote:
Hello all, this fixes an issue where for TLSv1.2 connections
specifically, clients will not authenticate using PSS certs even when
PSS signature algorithms are asserted in the CertificateRequest
message. This brings in a method for client certificate selection
similar to how we do it for TLS 1.3. TLS 1.3, 1.1 and 1.0 client
certificate selection is not affected by this fix.
JBS: https://bugs.openjdk.java.net/browse/JDK-8210989
Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8210989/webrev.01/
--Jamil
