src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java

Print this page

        

*** 60,69 **** --- 60,72 ---- // supported and default cipher suites private CipherSuiteList defaultServerCipherSuiteList; private CipherSuiteList defaultClientCipherSuiteList; private CipherSuiteList supportedCipherSuiteList; + // DTLS cookie exchange manager + private HelloCookieManager helloCookieManager; + SSLContextImpl() { ephemeralKeyManager = new EphemeralKeyManager(); clientCache = new SSLSessionContextImpl(); serverCache = new SSLSessionContextImpl(); }
*** 173,215 **** // nothing found, return a dummy X509ExtendedKeyManager return DummyX509KeyManager.INSTANCE; } @Override ! protected SSLSocketFactory engineGetSocketFactory() { if (!isInitialized) { ! throw new IllegalStateException( ! "SSLContextImpl is not initialized"); } ! return new SSLSocketFactoryImpl(this); } @Override ! protected SSLServerSocketFactory engineGetServerSocketFactory() { if (!isInitialized) { throw new IllegalStateException("SSLContext is not initialized"); } ! return new SSLServerSocketFactoryImpl(this); } @Override ! protected SSLEngine engineCreateSSLEngine() { if (!isInitialized) { ! throw new IllegalStateException( ! "SSLContextImpl is not initialized"); } ! return new SSLEngineImpl(this); } @Override ! protected SSLEngine engineCreateSSLEngine(String host, int port) { if (!isInitialized) { ! throw new IllegalStateException( ! "SSLContextImpl is not initialized"); } ! return new SSLEngineImpl(this, host, port); } @Override protected SSLSessionContext engineGetClientSessionContext() { return clientCache; --- 176,218 ---- // nothing found, return a dummy X509ExtendedKeyManager return DummyX509KeyManager.INSTANCE; } + abstract SSLEngine createSSLEngineImpl(); + abstract SSLEngine createSSLEngineImpl(String host, int port); + @Override ! protected SSLEngine engineCreateSSLEngine() { if (!isInitialized) { ! throw new IllegalStateException("SSLContext is not initialized"); } ! return createSSLEngineImpl(); } @Override ! protected SSLEngine engineCreateSSLEngine(String host, int port) { if (!isInitialized) { throw new IllegalStateException("SSLContext is not initialized"); } ! return createSSLEngineImpl(host, port); } @Override ! protected SSLSocketFactory engineGetSocketFactory() { if (!isInitialized) { ! throw new IllegalStateException("SSLContext is not initialized"); } ! return new SSLSocketFactoryImpl(this); } @Override ! protected SSLServerSocketFactory engineGetServerSocketFactory() { if (!isInitialized) { ! throw new IllegalStateException("SSLContext is not initialized"); } ! return new SSLServerSocketFactoryImpl(this); } @Override protected SSLSessionContext engineGetClientSessionContext() { return clientCache;
*** 234,243 **** --- 237,263 ---- EphemeralKeyManager getEphemeralKeyManager() { return ephemeralKeyManager; } + HelloCookieManager getHelloCookieManager() { + if (!isInitialized) { + throw new IllegalStateException("SSLContext is not initialized"); + } + + if (helloCookieManager == null) { + helloCookieManager = getHelloCookieManager(secureRandom); + } + + return helloCookieManager; + } + + HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) { + throw new UnsupportedOperationException( + "Cookie exchange applies to DTLS only"); + } + abstract SSLParameters getDefaultServerSSLParams(); abstract SSLParameters getDefaultClientSSLParams(); abstract SSLParameters getSupportedSSLParams(); // Get supported ProtocolList.
*** 317,332 **** boolean isDefaultProtocolList(ProtocolList protocols) { return (protocols == defaultServerProtocolList) || (protocols == defaultClientProtocolList); } /* * Return the list of all available CipherSuites with a priority of * minPriority or above. */ ! private CipherSuiteList getApplicableCipherSuiteList( ProtocolList protocols, boolean onlyEnabled) { int minPriority = CipherSuite.SUPPORTED_SUITES_PRIORITY; if (onlyEnabled) { minPriority = CipherSuite.DEFAULT_SUITES_PRIORITY; --- 337,360 ---- boolean isDefaultProtocolList(ProtocolList protocols) { return (protocols == defaultServerProtocolList) || (protocols == defaultClientProtocolList); } + /** + * Return whether a protocol list is the original default enabled + * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() + */ + boolean isDefaultCipherSuiteList(CipherSuiteList cipherSuites) { + return (cipherSuites == defaultClientCipherSuiteList) || + (cipherSuites == defaultServerCipherSuiteList); + } /* * Return the list of all available CipherSuites with a priority of * minPriority or above. */ ! private static CipherSuiteList getApplicableCipherSuiteList( ProtocolList protocols, boolean onlyEnabled) { int minPriority = CipherSuite.SUPPORTED_SUITES_PRIORITY; if (onlyEnabled) { minPriority = CipherSuite.DEFAULT_SUITES_PRIORITY;
*** 342,364 **** if (!suite.allowed || suite.priority < minPriority) { continue; } if (suite.isAvailable() && ! suite.obsoleted > protocols.min.v && ! suite.supported <= protocols.max.v) { if (SSLAlgorithmConstraints.DEFAULT.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) { suites.add(suite); } } else if (debug != null && Debug.isOn("sslctx") && Debug.isOn("verbose")) { ! if (suite.obsoleted <= protocols.min.v) { System.out.println( "Ignoring obsoleted cipher suite: " + suite); ! } else if (suite.supported > protocols.max.v) { System.out.println( "Ignoring unsupported cipher suite: " + suite); } else { System.out.println( "Ignoring unavailable cipher suite: " + suite); --- 370,392 ---- if (!suite.allowed || suite.priority < minPriority) { continue; } if (suite.isAvailable() && ! !protocols.min.obsoletes(suite) && ! protocols.max.supports(suite)) { if (SSLAlgorithmConstraints.DEFAULT.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) { suites.add(suite); } } else if (debug != null && Debug.isOn("sslctx") && Debug.isOn("verbose")) { ! if (protocols.min.obsoletes(suite)) { System.out.println( "Ignoring obsoleted cipher suite: " + suite); ! } else if (!protocols.max.supports(suite)) { System.out.println( "Ignoring unsupported cipher suite: " + suite); } else { System.out.println( "Ignoring unavailable cipher suite: " + suite);
*** 386,397 **** CipherSuite.BulkCipher.clearAvailableCache(); JsseJce.clearEcAvailable(); } } /* ! * The SSLContext implementation for TLS/SSL algorithm * * SSL/TLS protocols specify the forward compatibility and version * roll-back attack protections, however, a number of SSL/TLS server * vendors did not implement these aspects properly, and some current * SSL/TLS servers may refuse to talk to a TLS 1.1 or later client. --- 414,442 ---- CipherSuite.BulkCipher.clearAvailableCache(); JsseJce.clearEcAvailable(); } } + private static String[] getAvailableProtocols( + ProtocolVersion[] protocolCandidates) { + + List<String> availableProtocols = Collections.<String>emptyList(); + if (protocolCandidates != null && protocolCandidates.length != 0) { + availableProtocols = new ArrayList<>(protocolCandidates.length); + for (ProtocolVersion p : protocolCandidates) { + if (ProtocolVersion.availableProtocols.contains(p)) { + availableProtocols.add(p.name); + } + } + } + + return availableProtocols.toArray(new String[0]); + } + + /* ! * The SSLContext implementation for SSL/(D)TLS algorithm * * SSL/TLS protocols specify the forward compatibility and version * roll-back attack protections, however, a number of SSL/TLS server * vendors did not implement these aspects properly, and some current * SSL/TLS servers may refuse to talk to a TLS 1.1 or later client.
*** 416,433 **** * by default. Applications still can use it by enabling SSLv2Hello with * the series of setEnabledProtocols APIs. */ /* ! * The base abstract SSLContext implementation. * * This abstract class encapsulates supported and the default server ! * SSL parameters. * * @see SSLContext */ ! private abstract static class AbstractSSLContext extends SSLContextImpl { // parameters private static final SSLParameters defaultServerSSLParams; private static final SSLParameters supportedSSLParams; static { --- 461,479 ---- * by default. Applications still can use it by enabling SSLv2Hello with * the series of setEnabledProtocols APIs. */ /* ! * The base abstract SSLContext implementation for the Transport Layer ! * Security (TLS) protocols. * * This abstract class encapsulates supported and the default server ! * SSL/TLS parameters. * * @see SSLContext */ ! private abstract static class AbstractTLSContext extends SSLContextImpl { // parameters private static final SSLParameters defaultServerSSLParams; private static final SSLParameters supportedSSLParams; static {
*** 480,512 **** @Override SSLParameters getSupportedSSLParams() { return supportedSSLParams; } ! static String[] getAvailableProtocols( ! ProtocolVersion[] protocolCandidates) { ! ! List<String> availableProtocols = Collections.<String>emptyList(); ! if (protocolCandidates != null && protocolCandidates.length != 0) { ! availableProtocols = new ArrayList<>(protocolCandidates.length); ! for (ProtocolVersion p : protocolCandidates) { ! if (ProtocolVersion.availableProtocols.contains(p)) { ! availableProtocols.add(p.name); } - } - } ! return availableProtocols.toArray(new String[0]); } } /* * The SSLContext implementation for SSLv3 and TLS10 algorithm * * @see SSLContext */ ! public static final class TLS10Context extends AbstractSSLContext { private static final SSLParameters defaultClientSSLParams; static { // candidates for available protocols ProtocolVersion[] candidates; --- 526,552 ---- @Override SSLParameters getSupportedSSLParams() { return supportedSSLParams; } ! @Override ! SSLEngine createSSLEngineImpl() { ! return new SSLEngineImpl(this, false); } ! @Override ! SSLEngine createSSLEngineImpl(String host, int port) { ! return new SSLEngineImpl(this, host, port, false); } } /* * The SSLContext implementation for SSLv3 and TLS10 algorithm * * @see SSLContext */ ! public static final class TLS10Context extends AbstractTLSContext { private static final SSLParameters defaultClientSSLParams; static { // candidates for available protocols ProtocolVersion[] candidates;
*** 535,545 **** /* * The SSLContext implementation for TLS11 algorithm * * @see SSLContext */ ! public static final class TLS11Context extends AbstractSSLContext { private static final SSLParameters defaultClientSSLParams; static { // candidates for available protocols ProtocolVersion[] candidates; --- 575,585 ---- /* * The SSLContext implementation for TLS11 algorithm * * @see SSLContext */ ! public static final class TLS11Context extends AbstractTLSContext { private static final SSLParameters defaultClientSSLParams; static { // candidates for available protocols ProtocolVersion[] candidates;
*** 570,580 **** /* * The SSLContext implementation for TLS12 algorithm * * @see SSLContext */ ! public static final class TLS12Context extends AbstractSSLContext { private static final SSLParameters defaultClientSSLParams; static { // candidates for available protocols ProtocolVersion[] candidates; --- 610,620 ---- /* * The SSLContext implementation for TLS12 algorithm * * @see SSLContext */ ! public static final class TLS12Context extends AbstractTLSContext { private static final SSLParameters defaultClientSSLParams; static { // candidates for available protocols ProtocolVersion[] candidates;
*** 603,618 **** return defaultClientSSLParams; } } /* * The SSLContext implementation for customized TLS protocols * * @see SSLContext */ ! private static class CustomizedSSLContext extends AbstractSSLContext { ! private static final String PROPERTY_NAME = "jdk.tls.client.protocols"; private static final SSLParameters defaultClientSSLParams; private static IllegalArgumentException reservedException = null; // Don't want a java.lang.LinkageError for illegal system property. // --- 643,719 ---- return defaultClientSSLParams; } } /* + * The interface for the customized SSL/(D)TLS SSLContext. + * + * @see SSLContext + */ + private static class CustomizedSSLProtocols { + private final static String PROPERTY_NAME = "jdk.tls.client.protocols"; + static IllegalArgumentException reservedException = null; + static ArrayList<ProtocolVersion> + customizedProtocols = new ArrayList<>(); + + // Don't want a java.lang.LinkageError for illegal system property. + // + // Please don't throw exception in this static block. Otherwise, + // java.lang.LinkageError may be thrown during the instantiation of + // the provider service. Instead, please handle the initialization + // exception in the caller's constructor. + static { + String property = AccessController.doPrivileged( + new GetPropertyAction(PROPERTY_NAME)); + if (property != null && property.length() != 0) { + // remove double quote marks from beginning/end of the property + if (property.length() > 1 && property.charAt(0) == '"' && + property.charAt(property.length() - 1) == '"') { + property = property.substring(1, property.length() - 1); + } + } + + if (property != null && property.length() != 0) { + String[] protocols = property.split(","); + for (int i = 0; i < protocols.length; i++) { + protocols[i] = protocols[i].trim(); + // Is it a supported protocol name? + try { + ProtocolVersion pro = + ProtocolVersion.valueOf(protocols[i]); + + if (SunJSSE.isFIPS() && + ((pro.v == ProtocolVersion.SSL30.v) || + (pro.v == ProtocolVersion.SSL20Hello.v))) { + reservedException = new IllegalArgumentException( + PROPERTY_NAME + ": " + pro + + " is not FIPS compliant"); + + break; + } + + // ignore duplicated protocols + if (!customizedProtocols.contains(pro)) { + customizedProtocols.add(pro); + } + } catch (IllegalArgumentException iae) { + reservedException = new IllegalArgumentException( + PROPERTY_NAME + ": " + protocols[i] + + " is not a standard SSL protocol name", iae); + } + } + } + } + } + + /* * The SSLContext implementation for customized TLS protocols * * @see SSLContext */ ! private static class CustomizedTLSContext extends AbstractTLSContext { ! private static final SSLParameters defaultClientSSLParams; private static IllegalArgumentException reservedException = null; // Don't want a java.lang.LinkageError for illegal system property. //
*** 619,635 **** // Please don't throw exception in this static block. Otherwise, // java.lang.LinkageError may be thrown during the instantiation of // the provider service. Instead, let's handle the initialization // exception in constructor. static { // candidates for available protocols ProtocolVersion[] candidates; ! ! String property = AccessController.doPrivileged( ! new GetPropertyAction(PROPERTY_NAME)); ! if (property == null || property.length() == 0) { ! // the default enabled client TLS protocols if (SunJSSE.isFIPS()) { candidates = new ProtocolVersion[] { ProtocolVersion.TLS10, ProtocolVersion.TLS11, ProtocolVersion.TLS12 --- 720,745 ---- // Please don't throw exception in this static block. Otherwise, // java.lang.LinkageError may be thrown during the instantiation of // the provider service. Instead, let's handle the initialization // exception in constructor. static { + reservedException = CustomizedSSLProtocols.reservedException; + if (reservedException == null) { + ArrayList<ProtocolVersion> + customizedTLSProtocols = new ArrayList<>(); + for (ProtocolVersion protocol : + CustomizedSSLProtocols.customizedProtocols) { + if (!protocol.isDTLSProtocol()) { + customizedTLSProtocols.add(protocol); + } + } + // candidates for available protocols ProtocolVersion[] candidates; ! if (customizedTLSProtocols.isEmpty()) { ! // Use the default enabled client protocols if no ! // customized TLS protocols. if (SunJSSE.isFIPS()) { candidates = new ProtocolVersion[] { ProtocolVersion.TLS10, ProtocolVersion.TLS11, ProtocolVersion.TLS12
*** 641,700 **** ProtocolVersion.TLS11, ProtocolVersion.TLS12 }; } } else { ! // remove double quote marks from beginning/end of the property ! if (property.length() > 1 && property.charAt(0) == '"' && ! property.charAt(property.length() - 1) == '"') { ! property = property.substring(1, property.length() - 1); } - String[] protocols = null; - if (property != null && property.length() != 0) { - protocols = property.split(","); - } else { - reservedException = new IllegalArgumentException( - "No protocol specified in " + - PROPERTY_NAME + " system property"); - protocols = new String[0]; - } - - candidates = new ProtocolVersion[protocols.length]; - for (int i = 0; i < protocols.length; i++) { - protocols[i] = protocols[i].trim(); - // Is it a supported protocol name? - try { - candidates[i] = ProtocolVersion.valueOf(protocols[i]); - } catch (IllegalArgumentException iae) { - reservedException = new IllegalArgumentException( - PROPERTY_NAME + ": " + protocols[i] + - " is not a standard SSL/TLS protocol name", iae); - break; - } - } - - if ((reservedException == null) && SunJSSE.isFIPS()) { - for (ProtocolVersion protocolVersion : candidates) { - if (ProtocolVersion.SSL20Hello.v == protocolVersion.v || - ProtocolVersion.SSL30.v == protocolVersion.v) { - reservedException = new IllegalArgumentException( - PROPERTY_NAME + ": " + protocolVersion + - " is not FIPS compliant"); - } - } - } - } - defaultClientSSLParams = new SSLParameters(); - if (reservedException == null) { defaultClientSSLParams.setProtocols( getAvailableProtocols(candidates)); } } ! protected CustomizedSSLContext() { if (reservedException != null) { throw reservedException; } } --- 751,775 ---- ProtocolVersion.TLS11, ProtocolVersion.TLS12 }; } } else { ! // Use the customized TLS protocols. ! candidates = ! new ProtocolVersion[customizedTLSProtocols.size()]; ! candidates = customizedTLSProtocols.toArray(candidates); } defaultClientSSLParams = new SSLParameters(); defaultClientSSLParams.setProtocols( getAvailableProtocols(candidates)); + } else { + defaultClientSSLParams = null; // unlikely to be used } } ! protected CustomizedTLSContext() { if (reservedException != null) { throw reservedException; } }
*** 707,726 **** /* * The SSLContext implementation for default "TLS" algorithm * * @see SSLContext */ ! public static final class TLSContext extends CustomizedSSLContext { // use the default constructor and methods } /* * The SSLContext implementation for default "Default" algorithm * * @see SSLContext */ ! public static final class DefaultSSLContext extends CustomizedSSLContext { private static final String NONE = "NONE"; private static final String P11KEYSTORE = "PKCS11"; private static volatile SSLContextImpl defaultImpl; --- 782,801 ---- /* * The SSLContext implementation for default "TLS" algorithm * * @see SSLContext */ ! public static final class TLSContext extends CustomizedTLSContext { // use the default constructor and methods } /* * The SSLContext implementation for default "Default" algorithm * * @see SSLContext */ ! public static final class DefaultSSLContext extends CustomizedTLSContext { private static final String NONE = "NONE"; private static final String P11KEYSTORE = "PKCS11"; private static volatile SSLContextImpl defaultImpl;
*** 877,886 **** --- 952,1148 ---- defaultKeyManagers = kmf.getKeyManagers(); return defaultKeyManagers; } } + /* + * The base abstract SSLContext implementation for the Datagram Transport + * Layer Security (DTLS) protocols. + * + * This abstract class encapsulates supported and the default server DTLS + * parameters. + * + * @see SSLContext + */ + private abstract static class AbstractDTLSContext extends SSLContextImpl { + // parameters + private static final SSLParameters defaultServerSSLParams; + private static final SSLParameters supportedSSLParams; + + static { + // supported SSL parameters + supportedSSLParams = new SSLParameters(); + + // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode. + supportedSSLParams.setProtocols(new String[] { + ProtocolVersion.DTLS10.name, + ProtocolVersion.DTLS12.name + }); + + // candidates for available protocols + ProtocolVersion[] candidates = new ProtocolVersion[] { + ProtocolVersion.DTLS10, + ProtocolVersion.DTLS12 + }; + + defaultServerSSLParams = new SSLParameters(); + defaultServerSSLParams.setProtocols( + getAvailableProtocols(candidates)); + } + + @Override + SSLParameters getDefaultServerSSLParams() { + return defaultServerSSLParams; + } + + @Override + SSLParameters getSupportedSSLParams() { + return supportedSSLParams; + } + + @Override + SSLEngine createSSLEngineImpl() { + return new SSLEngineImpl(this, true); + } + + @Override + SSLEngine createSSLEngineImpl(String host, int port) { + return new SSLEngineImpl(this, host, port, true); + } + + @Override + HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) { + return new HelloCookieManager(secureRandom); + } + } + + /* + * The SSLContext implementation for DTLSv1.0 algorithm. + * + * @see SSLContext + */ + public static final class DTLS10Context extends AbstractDTLSContext { + private final static SSLParameters defaultClientSSLParams; + + static { + // candidates for available protocols + ProtocolVersion[] candidates = new ProtocolVersion[] { + ProtocolVersion.DTLS10 + }; + + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates)); + } + + @Override + SSLParameters getDefaultClientSSLParams() { + return defaultClientSSLParams; + } + } + + /* + * The SSLContext implementation for DTLSv1.2 algorithm. + * + * @see SSLContext + */ + public static final class DTLS12Context extends AbstractDTLSContext { + private final static SSLParameters defaultClientSSLParams; + + static { + // candidates for available protocols + ProtocolVersion[] candidates = new ProtocolVersion[] { + ProtocolVersion.DTLS10, + ProtocolVersion.DTLS12 + }; + + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates)); + } + + @Override + SSLParameters getDefaultClientSSLParams() { + return defaultClientSSLParams; + } + } + + /* + * The SSLContext implementation for customized TLS protocols + * + * @see SSLContext + */ + private static class CustomizedDTLSContext extends AbstractDTLSContext { + private final static SSLParameters defaultClientSSLParams; + private static IllegalArgumentException reservedException = null; + + // Don't want a java.lang.LinkageError for illegal system property. + // + // Please don't throw exception in this static block. Otherwise, + // java.lang.LinkageError may be thrown during the instantiation of + // the provider service. Instead, let's handle the initialization + // exception in constructor. + static { + reservedException = CustomizedSSLProtocols.reservedException; + if (reservedException == null) { + ArrayList<ProtocolVersion> + customizedDTLSProtocols = new ArrayList<>(); + for (ProtocolVersion protocol : + CustomizedSSLProtocols.customizedProtocols) { + if (protocol.isDTLSProtocol()) { + customizedDTLSProtocols.add(protocol); + } + } + + // candidates for available protocols + ProtocolVersion[] candidates; + if (customizedDTLSProtocols.isEmpty()) { + // Use the default enabled client protocols if no + // customized TLS protocols. + // + // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode. + candidates = new ProtocolVersion[] { + ProtocolVersion.DTLS10, + ProtocolVersion.DTLS12 + }; + + } else { + // Use the customized TLS protocols. + candidates = + new ProtocolVersion[customizedDTLSProtocols.size()]; + candidates = customizedDTLSProtocols.toArray(candidates); + } + + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates)); + } else { + defaultClientSSLParams = null; // unlikely to be used + } + } + + protected CustomizedDTLSContext() { + if (reservedException != null) { + throw reservedException; + } + } + + @Override + SSLParameters getDefaultClientSSLParams() { + return defaultClientSSLParams; + } + } + + /* + * The SSLContext implementation for default "DTLS" algorithm + * + * @see SSLContext + */ + public static final class DTLSContext extends CustomizedDTLSContext { + // use the default constructor and methods + } + } final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager implements X509TrustManager {
*** 959,969 **** // try the best to check the algorithm constraints ProtocolVersion protocolVersion = ProtocolVersion.valueOf(session.getProtocol()); AlgorithmConstraints constraints = null; ! if (protocolVersion.v >= ProtocolVersion.TLS12.v) { if (session instanceof ExtendedSSLSession) { ExtendedSSLSession extSession = (ExtendedSSLSession)session; String[] peerSupportedSignAlgs = extSession.getLocalSupportedSignatureAlgorithms(); --- 1221,1231 ---- // try the best to check the algorithm constraints ProtocolVersion protocolVersion = ProtocolVersion.valueOf(session.getProtocol()); AlgorithmConstraints constraints = null; ! if (protocolVersion.useTLS12PlusSpec()) { if (session instanceof ExtendedSSLSession) { ExtendedSSLSession extSession = (ExtendedSSLSession)session; String[] peerSupportedSignAlgs = extSession.getLocalSupportedSignatureAlgorithms();
*** 1001,1011 **** // try the best to check the algorithm constraints ProtocolVersion protocolVersion = ProtocolVersion.valueOf(session.getProtocol()); AlgorithmConstraints constraints = null; ! if (protocolVersion.v >= ProtocolVersion.TLS12.v) { if (session instanceof ExtendedSSLSession) { ExtendedSSLSession extSession = (ExtendedSSLSession)session; String[] peerSupportedSignAlgs = extSession.getLocalSupportedSignatureAlgorithms(); --- 1263,1273 ---- // try the best to check the algorithm constraints ProtocolVersion protocolVersion = ProtocolVersion.valueOf(session.getProtocol()); AlgorithmConstraints constraints = null; ! if (protocolVersion.useTLS12PlusSpec()) { if (session instanceof ExtendedSSLSession) { ExtendedSSLSession extSession = (ExtendedSSLSession)session; String[] peerSupportedSignAlgs = extSession.getLocalSupportedSignatureAlgorithms();