On Tue, 26 Aug 2025 19:09:03 GMT, Artur Barashev <[email protected]> wrote:
>> [JDK-8349583](https://bugs.openjdk.org/browse/JDK-8349583) implementation >> assumes that OpenJDK client always sends "signature_algorithms_cert" >> extension together with "signature_algorithms" extension. But we didn't >> account for `jdk.tls.client.disableExtensions` and >> `jdk.tls.server.disableExtensions` system properties which can disable >> producing "signature_algorithms_cert" extension. This is an issue similar to >> [JDK-8355779](https://bugs.openjdk.org/browse/JDK-8355779) but on the >> extension producing side. >> >> Per TLSv1.3 RFC: >> >>> If no "signature_algorithms_cert" extension is >>> present, then the "signature_algorithms" extension also applies to >>> signatures appearing in certificates. >> >> Also making a few cosmetic changes to the existing code. > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > Add a server-side unit test. Rename existing tests. test/jdk/sun/security/ssl/SignatureScheme/DisableSignatureSchemePerScopeTLS12.java line 56: > 54: + CERTIFICATE_DISABLED_SIG + " usage certificateSignature"; > 55: > 56: // Signature schemes not supported in TLSv1.3 for the handshake Add this bug number to the list of @bug test/jdk/sun/security/ssl/SignatureScheme/DisableSignatureSchemePerScopeTLS13.java line 68: > 66: SIG_ALGS_EXT); > 67: > 68: // These signature schemes MOST NOT be present in > signature_algorithms Bug number to be added to @bug ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/26887#discussion_r2337193012 PR Review Comment: https://git.openjdk.org/jdk/pull/26887#discussion_r2337199121
