8263188: JSSE should fail fast if there isn't supported signature algorithm

[vieiro]

Clean backport of JDK-8263188 to JDK11.

It will make it easier to backport and review JDK-8349583 and JDK-8340321 , so OpenJDK 11 follows the Oracle JRE and JDK Cryptographic Roadmap on 2026/01 by disabling SHA-1 in TLS/DTLS 1.2 handshake signatures.

Since JDK11 does not sport the ByteBuffer.slice(int, int) method in JDK17 (used in test/jdk/sun/security/ssl/SignatureScheme/SigAlgosExtTestWithTLS12.java), a second commit adds an equivalent and updates the test.

Tested on Linux with tier1 tests:

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
   jtreg:test/hotspot/jtreg:tier1                     1497  1497     0     0   
   jtreg:test/jdk:tier1                               1899  1899     0     0   
   jtreg:test/langtools:tier1                         3941  3941     0     0   
   jtreg:test/nashorn:tier1                              0     0     0     0   
   jtreg:test/jaxp:tier1                                 0     0     0     0   
==============================
TEST SUCCESS

Also security tests (including new ones) pass:

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
   jtreg:test/jdk/sun/security                         664   664     0     0   
==============================
TEST SUCCESS

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8263188 needs maintainer approval

Issue

• JDK-8263188: JSSE should fail fast if there isn't supported signature algorithm (Bug - P4 - Requested)

Reviewers

• Severin Gehwolf (@jerboaa - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/3126/head:pull/3126
$ git checkout pull/3126

Update a local copy of the PR:
$ git checkout pull/3126
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/3126/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3126

View PR using the GUI difftool:
$ git pr show -t 3126

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/3126.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back avieiro! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[vieiro]

(Is there a GitHub - JIRA sync issue? I've updated the PR title manually)

[mlbridge]

Webrevs

• 02: Full - Incremental (fbad3f56)
• 01: Full (b17720dd)
• 00: Full (a2a223a4)

[jerboaa]

@vieiro Changing the title manually won't help as then the patch isn't being recognized as backport. Please use the fulll sha and try again:

Backport 99b4bab366fe897e41a35240e474ea0cb0b229d5

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[openjdk]

@vieiro Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[vieiro]

I've rebased on master to get the recently merged JDK-8341964 and JDK-8245545 on this branch.

And retested with run-test-jdk_security:

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
   jtreg:test/jdk:jdk_security                        1361  1361     0     0   
==============================
TEST SUCCESS

[jerboaa]

Looks good. Please update the copyright since another change happend since and there is no THL A29 Limited in other copyright notices anymore.

[vieiro]

/issue add JDK-8364597

[openjdk]

@vieiro
Adding additional issue to issue list: 8364597: Replace THL A29 Limited with Tencent.

[jerboaa]

Please don't add 8364597 to the issues list. It's already done for 11u. That's the business we are in when doing backports. Remember when to adjust a backport if they came in out-of-order.

[vieiro]

/issue remove JDK-8364597

[openjdk]

@vieiro
Removing additional issue from issue list: 8364597.

[vieiro]

Please don't add 8364597 to the issues list. It's already done for 11u. That's the business we are in when doing backports. Remember when to adjust a backport if they came in out-of-order.

Thanks for the tip! I thought we wanted to keep track of related commits too. Good to know!

[jerboaa]

Thanks for the tip! I thought we wanted to keep track of related commits too. Good to know!

Things like this are good candidates to mention in the approval comments.

[jerboaa]

Looks good.

[openjdk]

⚠️ @vieiro This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[vieiro]

/approval request Please consider approving this PR that makes it easier for future backports to follow the Oracle JRE and JDK Cryptographic Roadmap on 2026/01 by disabling SHA-1 in TLS/DTLS 1.2 handshake signatures. The reviewer has kindly reminded to also update the copyright changes introduced in the later JDK-8364597.

[openjdk]

@vieiro
8263188: The approval request has been created successfully.