Hi Tim,
Thanks for the find of the restriction in OpenJDK. The bug is tracked
as JDK-8071858:
https://bugs.openjdk.java.net/browse/JDK-8071858
(I just filed a bug, may need a few time to see it in public.)
Thanks & Regards,
Xuelei
On 1/29/2015 9:32 AM, Tim Whittington wrote:
> Hi all
>
> I noticed looking at the JSSE cipher suite selection that EC certificates are
> unnecessarily restricted when TLS 1.2 is used.
> Specifically sun.security.ssl.ServerHandshaker.trySetCipherSuite(CipherSuite)
> requires “EC_EC” certs (an EC key, signed with an EC issuer key) for *_ECDSA
> suites, and requires “EC_RSA” for ECDH_RSA suites.
>
> The restrictions on signing key for EC certs were specified in RFC 4492
> (which introduced EC cipher-suites for TLS 1.0 and 1.1), but were explicitly
> removed in TLS 1.2 by RFC 5246 [2] (see Appendix A.7 and sections 7.4.2 and
> 7.4.6) (as an aside this effectively this makes ECDH_RSA an alias for
> ECDH_ECDSA).
>
> i.e. for TLS 1.2, an “EC” only restriction is appropriate for ECDH_RSA and
> *_ECDSA suites.
>
> I’ve successfully tested JSSE negotiating TLS 1.2 + ECDHE_ECDSA with an EC
> cert signed by an RSA issuer (in this case using Tomcat, which hard-codes the
> key alias to use, ignoring the keyType provided to the key store selection
> APIs) so this restriction can probably be quite simply removed.
>
> cheers
> tim
>
> [1] https://tools.ietf.org/html/rfc4492
> [2] https://tools.ietf.org/html/rfc5246#appendix-A.7
>
