Code review request, 8030829 Add MD5 to jdk.certpath.disabledAlgorithms security property

Xuelei Fan Xuelei.Fan at Oracle.COM
Sun Jan 5 19:08:15 PST 2014


Hi,

Please review this update for JDK 9.

webrev: http://cr.openjdk.java.net/~xuelei/8030829/webrev.00/

Per the spec of RFC 6151, MD5 must not be used for digital signatures 
where collision resistance is required.  Adding MD5 to 
jdk.certpath.disabledAlgorithms security property can prevent the usage 
of MD5 as digital signature algorithm during X.509 certificate operations.

It is not necessary to stop using HMAC-MD5 per RFC 6151. TLS is making 
use of HMAC-MD5.  It is not necessary to stop HMAC-MD5 in JSSE at present.

With this update, there are compatibility issues with those applications 
still using MD5 signed certificate. Please upgrade the weak certificate 
ASAP.

Thanks,
Xuelei



More information about the security-dev mailing list