The OpenJDK Quality Group is promoting the testing of FOSS projects with OpenJDK builds as a way to improve the overall quality of the release. This heads-up is part of the quality outreach sent to the projects involved. To learn more about the program, and how-to join, please check here.

TLS Named Groups and Signature Schemes Setup for HttpClient

Java applications can configure TLS constraints on javax.net.ssl.SSLParameters during the setup of new connections. Yet, as of now, HttpClient ignores named groups and signature schemes set on SSLParameters.

String[] restrictedNamedGroups = {"x25519","x448"};
String[] preferredSignatureScheme = {"ed25519","ed448"};

final SSLParameters sslParameters = new SSLParameters();
sslParameters.setNamedGroups(restrictedNamedGroups);
sslParameters.setSignatureSchemes(preferredSignatureScheme);

SSLContext sslContext = SSLContext.getDefault();

HttpClient client = HttpClient.newBuilder()
    .sslContext(sslContext)
    .sslParameters(sslParameters)
    .build();

Starting with JDK 26, the java.net.http.HttpClient preserves the signature schemes and named groups configured via SSLParameters when negotiating the TLS handshake.

This fix has been incorporated into the 26-ea mainline build available here. For more details on this change, check the JBS issue: JDK-8367112.