[rfc][jdk8u/jdk] Disable broken crypto algorithms (sane defaults)
Jacob Wisor
gitne at gmx.de
Wed Mar 4 20:26:42 UTC 2015
Hello there!
Please review this patch disabling deprecated, broken, or, insecure crypto
algorithms. I think it is fair to say that these should be sane defaults by now,
similar to what main web browser vendors do.
AFAIKT, JDK 8 ships with only one legacy MD5withRSA signed certificate which is
from the GTE CyberTrust Global Root CA. All other CAs have moved to SHA1 or
SHA256 signatures. So this certificate would have to be replaced by package
maintainers and/or release engineers.
If it is too late for JDK 8 then JDK 9 should definitely deploy with these defaults.
Regards,
Jacob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DisableBrokenCryptoAlgorithms.patch
Type: text/x-patch
Size: 4099 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20150304/254b1b32/DisableBrokenCryptoAlgorithms.patch>
More information about the security-dev
mailing list