RFR: JDK-8176503: Disable SHA-1 TLS Server Certificates
Sean Mullan
sean.mullan at oracle.com
Mon Mar 13 14:57:14 UTC 2017
Please review this configuration change to disable SHA-1 TLS server
certificates by default in JDK 9. In order to be disabled, the
certificates must chain back to trusted root certificate in the cacerts
keystore that has a " [jdk]" attribute appended to their alias name.
--Sean
diff --git a/src/java.base/share/conf/security/java.security
b/src/java.base/share/conf/security/java.security
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -598,8 +598,8 @@
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
-jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
- DSA keySize < 1024, EC keySize < 224
+jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
+ RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files
More information about the security-dev
mailing list