Closed zhichengliu12581 closed 2 years ago
Points 1 and 2: When a lower version of jdk selects the signature algorithm supported, the certificate size will not affect the selection process. Caused the problem: When selecting the signature algorithm, the certificate in the keyvault does not support the selected algorithm. For example, the certificate of elliptic curve P-256 cannot be signed with SHA-512. When using a browser to access a resource (Web application), SHA-256 will be used first, so if the resource uses a P-512 certificate, the signature will fail. When using the client (SSLContext) to access the resource, first use SHA-512. If the resource uses a P-256 certificate, the signature will fail.
The temporary solution is add
Security.setProperty("jdk.tls.disabledAlgorithms", "SHA256withECDSA,SHA512withECDSA,SHA512withRSA,SHA384withRSA");
in application to disable the Algorithms which shouldn't support. This is not a good solution.
Point 3:
JDK doesn't support RSASSA-PSS before 262, we should add the SHA256withRSA
,SHA384withRSA
,SHA512withRSA
for the lower version.
Best practice should be only supporting the latest version of JDK.
We don't support this feature because in version lower than 262, which can't support RSA256 and RSA512 at the same time. Also need to add Security.setProperty("jdk.tls.disabledAlgorithms", "SHA512withRSA,SHA384withRSA");
in different situations.
Key less function have these questions when the jdk1.8 version is lower than 262.