Hi all I noticed looking at the JSSE cipher suite selection that EC certificates are unnecessarily restricted when TLS 1.2 is used. Specifically sun.security.ssl.ServerHandshaker.trySetCipherSuite(CipherSuite) requires “EC_EC” certs (an EC key, signed with an EC issuer key) for *_ECDSA suites, and requires “EC_RSA” for ECDH_RSA suites.
The restrictions on signing key for EC certs were specified in RFC 4492 (which introduced EC cipher-suites for TLS 1.0 and 1.1), but were explicitly removed in TLS 1.2 by RFC 5246 [2] (see Appendix A.7 and sections 7.4.2 and 7.4.6) (as an aside this effectively this makes ECDH_RSA an alias for ECDH_ECDSA). i.e. for TLS 1.2, an “EC” only restriction is appropriate for ECDH_RSA and *_ECDSA suites. I’ve successfully tested JSSE negotiating TLS 1.2 + ECDHE_ECDSA with an EC cert signed by an RSA issuer (in this case using Tomcat, which hard-codes the key alias to use, ignoring the keyType provided to the key store selection APIs) so this restriction can probably be quite simply removed. cheers tim [1] https://tools.ietf.org/html/rfc4492 [2] https://tools.ietf.org/html/rfc5246#appendix-A.7
