RFR: [jdk8u/jdk] Disable broken crypto algorithms (sane defaults)
Jacob Wisor
gitne at gmx.de
Tue Mar 10 18:50:02 UTC 2015
Ping?
On 03/04/2015 at 09:26 PM CET Jacob Wisor wrote:
> Hello there!
>
> Please review this patch disabling deprecated, broken, or, insecure crypto
> algorithms. I think it is fair to say that these should be sane defaults by now,
> similar to what main web browser vendors do.
>
> AFAIKT, JDK 8 ships with only one legacy MD5withRSA signed certificate which is
> from the GTE CyberTrust Global Root CA. All other CAs have moved to SHA1 or
> SHA256 signatures. So this certificate would have to be replaced by package
> maintainers and/or release engineers.
>
> If it is too late for JDK 8 then JDK 9 should definitely deploy with these
> defaults.
>
> Regards,
>
> Jacob
More information about the security-dev
mailing list