Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

How to restrict Signature algorithms from client side in java

user-4m5fbMay 16 2023

By default for TLS 1.3, the offered signature algorithms prefer ECDSA followed by RSA. However, for my java code, I want my client to offer only RSA signature algorithms as part of client hello. How can that be achieved ?

I tried using jdk.tls.client.SignatureSchemes="RSAWITHSHA256,RSAWITHSHA384,RSAWITHSHA512", but the client still presents the following algorithms as part of client hello

ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1.

How can we achieve restricting ECDSA signature algorithms explicitly in Java client code ?

Tried setting jdk.tls.client.SignatureSchemes="RSAWITHSHA256,RSAWITHSHA384,RSAWITHSHA512" as system property and at runtime, it didnt work for me.

Comments
Post Details
Added on May 16 2023
0 comments
307 views