Hi Max, You are right, It is possible that algorithm name is not confirm <digest>With<encryption> format. As soon as RFC5929 does not specify this situation I would suggest to use “SHA-256” hash instead of throwing SaslException exception.
Regards Alexey > On 27 May 2020, at 13:25, Weijun Wang <weijun.w...@oracle.com> wrote: > > > >> On May 21, 2020, at 3:35 PM, Alexey Bakhtin <ale...@azul.com> wrote: >> >> The hash algorithm is selected on the base of the certificate >> signature algorithm. >> Also, the client should use SHA-256 algorithm, in case of the >> certificate signature algorithm is SHA1 or MD5 > > According to https://www.rfc-editor.org/rfc/rfc5929#section-4.1, this is the > right approach. I'm just curious if you have seen newer signature algorithms > like RSASSA-PSS and EdDSA used in reality, since the latest TLS spec already > defined ciphersuites around them. > > Thanks, > Max
