Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How to restrict Signature algorithms from client side in java

user-4m5fbMay 16 2023

By default for TLS 1.3, the offered signature algorithms prefer ECDSA followed by RSA. However, for my java code, I want my client to offer only RSA signature algorithms as part of client hello. How can that be achieved ?

I tried using jdk.tls.client.SignatureSchemes="RSAWITHSHA256,RSAWITHSHA384,RSAWITHSHA512", but the client still presents the following algorithms as part of client hello

ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1.

How can we achieve restricting ECDSA signature algorithms explicitly in Java client code ?

Tried setting jdk.tls.client.SignatureSchemes="RSAWITHSHA256,RSAWITHSHA384,RSAWITHSHA512" as system property and at runtime, it didnt work for me.

Comments
Post Details
Added on May 16 2023
0 comments
562 views