Index: modules/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java =================================================================== --- modules/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java (revision 453534) +++ modules/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java (working copy) @@ -503,27 +503,26 @@ computerMasterSecret(); - if (clientCert != null) { - boolean[] keyUsage = clientCert.certs[0].getKeyUsage(); - if (keyUsage != null && keyUsage[0]) { - // Certificate verify - DigitalSignature ds = new DigitalSignature( - session.cipherSuite.keyExchange); - if (session.cipherSuite.keyExchange == CipherSuite.KeyExchange_RSA_EXPORT - || session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DHE_RSA - || session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DHE_RSA_EXPORT) { - ds.setMD5(io_stream.getDigestMD5()); - ds.setSHA(io_stream.getDigestSHA()); - } else if (session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DHE_DSS - || session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DHE_DSS_EXPORT) { - ds.setSHA(io_stream.getDigestSHA()); - // The Signature should be empty in case of anonimous signature algorithm: - // } else if (session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DH_anon || - // session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DH_anon_EXPORT) { - } - certificateVerify = new CertificateVerify(ds.sign()); - send(certificateVerify); + // send certificate verify for all certificates except those containing + // fixed DH parameters + if (clientCert != null && !clientKeyExchange.isEmpty()) { + // Certificate verify + DigitalSignature ds = new DigitalSignature( + session.cipherSuite.keyExchange); + if (session.cipherSuite.keyExchange == CipherSuite.KeyExchange_RSA_EXPORT + || session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DHE_RSA + || session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DHE_RSA_EXPORT) { + ds.setMD5(io_stream.getDigestMD5()); + ds.setSHA(io_stream.getDigestSHA()); + } else if (session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DHE_DSS + || session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DHE_DSS_EXPORT) { + ds.setSHA(io_stream.getDigestSHA()); + // The Signature should be empty in case of anonimous signature algorithm: + // } else if (session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DH_anon || + // session.cipherSuite.keyExchange == CipherSuite.KeyExchange_DH_anon_EXPORT) { } + certificateVerify = new CertificateVerify(ds.sign()); + send(certificateVerify); } sendChangeCipherSpec();