Code review request, 8030829 Add MD5 to jdk.certpath.disabledAlgorithms security property

Sean Mullan sean.mullan at oracle.com
Fri Jan 10 08:31:09 PST 2014


On 01/09/2014 09:28 PM, Xuelei Fan wrote:
> On 1/10/2014 6:34 AM, Sean Mullan wrote:
>> The code change looks fine. My main concern is the number of tests that
>> have been converted to run in othervm which will make the tests run
>> slower. Did you explore how much effort it would be to convert some of
>> the test certificates to use stronger algorithms?
>>
> I did think about to change the certificates from MD5 to SHA-1 or SHA-2.
>   But it is not a small effort, for some cases it is not doable. I would
> rather open a new bug to remove the test dependency on MD5 signature if
> possible. What do you think?

That sounds good.

>> Also, I noticed many of the tests are using ocsp security properties.
>> These tests can now use the PKIXRevocationChecker API added in JDK 8
>> which won't put a dependency on security properties which require them
>> to be run with othervm.
>>
> We may backport this fix.  Nice to address it in another new bug for JDK
> 8/9.

Ok, can you also file one for that?

Thanks,
Sean

>
> Thanks,
> Xuelei
>
>> --Sean
>>
>> On 01/05/2014 10:08 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Please review this update for JDK 9.
>>>
>>> webrev: http://cr.openjdk.java.net/~xuelei/8030829/webrev.00/
>>>
>>> Per the spec of RFC 6151, MD5 must not be used for digital signatures
>>> where collision resistance is required.  Adding MD5 to
>>> jdk.certpath.disabledAlgorithms security property can prevent the usage
>>> of MD5 as digital signature algorithm during X.509 certificate
>>> operations.
>>>
>>> It is not necessary to stop using HMAC-MD5 per RFC 6151. TLS is making
>>> use of HMAC-MD5.  It is not necessary to stop HMAC-MD5 in JSSE at
>>> present.
>>>
>>> With this update, there are compatibility issues with those applications
>>> still using MD5 signed certificate. Please upgrade the weak certificate
>>> ASAP.
>>>
>>> Thanks,
>>> Xuelei
>>>
>>
>



More information about the security-dev mailing list