0

When connecting to an internal device with a JDK17 with TLS v1.2, the handshake fails with this error:

No supported CertificateVerify signature algorithm for EC key

My key uses the EC "secp256r1", and the negociated signature algorithm is "ecdsa_secp384r1_sha384".

The CertificateVerity stage fails because the "ecdsa_secp384r1_sha384" can't be used with the named group "secp256r1". I see in the log:

Ignore the signature algorithm (ecdsa_secp384r1_sha384), 
unsupported EC parameter spec: secp256r1

https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java#L503

When I try to connect to this device with openssl and the same certificate/pkey, It works without any issue.

Is it something "not implemented yet" into the jdk, or what I am doing wrong here ? Due to the nature of this device, I can't use others algorithms for the key or the signature.

Improve this question
2
  • This looks like a bug. Sigalgs 0x0503 in TLSv1.3 is ecdsa_secp384r1_sha384 but in TLSv1.2 it is only ecdsa+sha384 i.e. the curve is constrained in 1.3 but not in 1.2, so in 1.2 it is legal to use this sigalg with your secp256r1-aka-P256 key/cert. It is inefficient securitywise and not recommended, but it is legal. Until/unless you can get this fixed in SunJSSE, you could use BouncyCastle (BCJSSE works), or you could revert to a Java version below 8u291 (losing all newer features and fixes). Or you could do the TLS externally with something like stunnel or socat (both using OpenSSL). Commented Dec 1, 2024 at 3:27
  • Thanks for your comments. I will try with BCSSE instead, and fill an issue on the openjdk jira. Commented Dec 1, 2024 at 9:04
Related questions
4439
How do I avoid checking for nulls in Java?
4056
Proper use cases for Android UserManager.isUserAGoat()?
3869
Why is char[] preferred over String for passwords?
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.