RFR: 8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled
Artur Barashev
abarashev at openjdk.org
Thu Apr 10 13:57:08 UTC 2025
MD5 algorithm is prohibited by TLSv1.3 RFC to be used in certificates:
Any endpoint receiving any certificate which it would need to
validate using any signature algorithm using an MD5 hash MUST abort
the handshake with a "bad_certificate" alert.
The bug manifests itself when older versions of protocol are supported besides TLSv1.3, such as TLSv1.2. When multiple protocol versions are supported, both client and server calculate their respective SSLSessions's "localSupportedSignAlgs" based on supported signature algorithms for all active protocols and don't update it when negotiated protocol is established. Then "localSupportedSignAlgs" list is used to validate certificate's algorithm.
While we disable "MD5withRSA" in java.security config, MD5 algorithm should not be allowed in TLSv1.3 regardless of optional configuration.
-------------
Commit messages:
- Cosmetic test changes
- Optimize imports
- A couple of typo fixes
- Abort the handshake with a bad_certificate alert on MD5 and SHA1
- Update test run directive. Remove unnecessary comments
- Update unit test
- Unit test
- 8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled
Changes: https://git.openjdk.org/jdk/pull/24425/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=24425&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8350807
Stats: 501 lines in 11 files changed: 426 ins; 42 del; 33 mod
Patch: https://git.openjdk.org/jdk/pull/24425.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/24425/head:pull/24425
PR: https://git.openjdk.org/jdk/pull/24425
More information about the net-dev
mailing list