GitHub user lhotari created a discussion: Update certificates used in TLS tests to use RSA keys & SHA-256 signature algorithm so that TLSv1.3 support can be added
**Problem** In TLSv1.3, certificates using SHA-1 signature algorithm are considered legacy and it's not recommended that TLSv1.3 implementations accept certificates that use SHA-1 signature algorithms. [In RFC8446, section 4.4.2.4. Receiving a Certificate Message](https://tools.ietf.org/html/rfc8446#section-4.4.2.4) _SHA-1 is deprecated, and it is RECOMMENDED that any endpoint receiving any certificate which it would need to validate using any signature algorithm using a SHA-1 hash abort the handshake with a "bad_certificate" alert._ Support for Digital Signature Algorithm (DSA) is also removed in TLSv1.3: [In RFC8446, section 1.2 Major Differences from TLS 1.2](https://tools.ietf.org/html/rfc8446#section-1.2) _Other cryptographic improvements were made, including changing the RSA padding to use the RSA Probabilistic Signature Scheme (RSASSA-PSS), and the removal of compression, the Digital Signature Algorithm (DSA), and custom Ephemeral Diffie-Hellman (DHE) groups._ **Solution** Update all certificates (server and client) used in Pulsar tests to use RSA keys & SHA-256 signature algorithms so that it's possible to add TLSv1.3 support. **Additional context** #8580, #8581 [TLSv1.3 is available in Java 8 since 8u161 (since OpenJDK 8u272)](https://github.com/AdoptOpenJDK/openjdk-build/issues/1254#issuecomment-683337917). GitHub link: https://github.com/apache/pulsar/discussions/18870 ---- This is an automatically sent email for dev@pulsar.apache.org. To unsubscribe, please send an email to: dev-unsubscr...@pulsar.apache.org
