[RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd party JCE provider

Seán Coffey sean.coffey at oracle.com
Fri Jul 14 10:17:17 UTC 2017


I think we should log a JDK 8u bug for this issue if one doesn't already 
exist. If the buggy SigAlgName was allowed in 8u updates already, then 
it should be continued to be allowed for compatibility reasons IMO. 
There might be time to revert that change in 8u152.

For 9, then maybe we can document the minor behavioural change that' 
been introduced.


On 14/07/17 05:25, Anthony Scarpino wrote:
> On 07/12/2017 07:45 AM, Sean Mullan wrote:
>> On 7/11/17 3:10 PM, Langer, Christoph wrote:
>>> In any case, from what you are saying, I take that I can safely 
>>> patch our JDK distribution with this change without doing a bad 
>>> thing to security in general, wouldn't you agree?
>> Yes, I agree.
>> Also, note that you can probably also workaround this issue by adding 
>> a specific "SHA1/RSA" constraint to the 
>> jdk.certpath.disabledAlgorithms security property.
>> --Sean
> The problem cannot be resolved by jdk.certpath.disabledAlgorithms. 
> Without using X509CertImpl, the non-standard "SHA1/RSA" is not 
> converted to "SHA1withRSA" The failing call is in the 
> SSLAlgorithConstraints.permit() checks by matching the algorithm name 
> with a list of standard supported algorithm names, and therefore fails.
> Tony

More information about the security-dev mailing list