On Mon, 22 Sep 2025 08:19:13 GMT, Hai-May Chao <[email protected]> wrote:
>> Artur Barashev has updated the pull request with a new target base due to a >> merge or a rebase. The incremental webrev excludes the unrelated changes >> brought in by the merge/rebase. The pull request contains eight additional >> commits since the last revision: >> >> - Add a ticket number to unit tests >> - Merge branch 'master' into JDK-8365820 >> - Add a server-side unit test. Rename existing tests. >> - Update tests >> - Revert "Include RSASSA-PKCS1-v1_5 and Legacy algorithms in >> signature_algorithms for TLSv1.3" >> >> This reverts commit adc236be4bcac11614e2741c99545aa593f6af5b. >> - Merge branch 'master' into JDK-8365820 >> - Include RSASSA-PKCS1-v1_5 and Legacy algorithms in signature_algorithms >> for TLSv1.3 >> - 8365820: Apply certificate scope constraints to algorithms in >> "signature_algorithms" extension when "signature_algorithms_cert" extension >> is not being sent > > test/jdk/sun/security/ssl/SignatureScheme/DisableCertSignAlgsExtForServerTLS13.java > line 131: > >> 129: // instead, depends on network >> setup. >> 130: || ex instanceof SocketException)); >> 131: } > > Here for TLS 1.3, handshake always fails because SHA256withRSA is not allowed > for client certificates. Would you consider adding a positive test for TLS > 1.3 with a client certificate signed with RSASSA-PSS so we could test > handshake will succeed as the client complies? Actually SHA256withRSA is not allowed for handshake signatures in TLSv1.3, I made a mistake in the test's comment about it which is now corrected. Otherwise I have added a positive test case, good suggestion! ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/26887#discussion_r2370279948
