RFR: JDK-8176503: Disable SHA-1 TLS Server Certificates

Vincent Ryan vincent.x.ryan at oracle.com
Mon Mar 13 15:52:15 UTC 2017


That change looks fine to me.
Thanks.


> On 13 Mar 2017, at 14:57, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> Please review this configuration change to disable SHA-1 TLS server certificates by default in JDK 9. In order to be disabled, the certificates must chain back to trusted root certificate in the cacerts keystore that has a " [jdk]" attribute appended to their alias name.
> 
> --Sean
> 
> diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
> --- a/src/java.base/share/conf/security/java.security
> +++ b/src/java.base/share/conf/security/java.security
> @@ -598,8 +598,8 @@
> #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
> #
> #
> -jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
> -    DSA keySize < 1024, EC keySize < 224
> +jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
> +    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
> 
> #
> # Algorithm restrictions for signed JAR files




More information about the security-dev mailing list