On Thu, 21 Aug 2025 16:02:05 GMT, Artur Barashev <[email protected]> wrote:
> [JDK-8349583](https://bugs.openjdk.org/browse/JDK-8349583) implementation > assumes that OpenJDK client always sends "signature_algorithms_cert" > extension together with "signature_algorithms" extension. But we didn't > account for `jdk.tls.client.disableExtensions` and > `jdk.tls.server.disableExtensions` system properties which can disable > producing "signature_algorithms_cert" extension. This is an issue similar to > [JDK-8355779](https://bugs.openjdk.org/browse/JDK-8355779) but on the > extension producing side. > > Per TLSv1.3 RFC: > >> If no "signature_algorithms_cert" extension is >> present, then the "signature_algorithms" extension also applies to >> signatures appearing in certificates. > > Also making a few cosmetic changes to the existing code. This pull request has now been integrated. Changeset: 569e7808 Author: Artur Barashev <[email protected]> URL: https://git.openjdk.org/jdk/commit/569e78080b3c25c95d85e9e194626f95f86b9b10 Stats: 569 lines in 7 files changed: 516 ins; 33 del; 20 mod 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent Reviewed-by: hchao ------------- PR: https://git.openjdk.org/jdk/pull/26887
