Possible insecure signature algorithm in TLS Key Exchange

@Alejandro_M

I didn’t get you since as far as I understand you will not generate certificates that use the SHA1withRSA signature algorithm but after conducting several tests, I discovered that you can achieve your goal by specifying the appropriate Signature Schemes that can be used over the TLS protocol.

-Djdk.tls.server.SignatureSchemes=rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pss_rsae_sha256,rsa_pss_rsae_sha384 -Djavax.net.ssl.SSLParameters.setSignatureSchemes=rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pss_rsae_sha256,rsa_pss_rsae_sha384

You can find the list of Signature Schemes available at Java Security Standard Algorithm Names

Please ensure that you evaluate the proposed solution within the context of your own risks and assumptions, as I have not conducted extensive testing on it.

Kind regards,
Diego from HiveMQ Team