RFR: JDK-8176503: Disable SHA-1 TLS Server Certificates
Vincent Ryan
vincent.x.ryan at oracle.com
Mon Mar 13 15:52:15 UTC 2017
That change looks fine to me.
Thanks.
> On 13 Mar 2017, at 14:57, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> Please review this configuration change to disable SHA-1 TLS server certificates by default in JDK 9. In order to be disabled, the certificates must chain back to trusted root certificate in the cacerts keystore that has a " [jdk]" attribute appended to their alias name.
>
> --Sean
>
> diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
> --- a/src/java.base/share/conf/security/java.security
> +++ b/src/java.base/share/conf/security/java.security
> @@ -598,8 +598,8 @@
> # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
> #
> #
> -jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
> - DSA keySize < 1024, EC keySize < 224
> +jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
> + RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
>
> #
> # Algorithm restrictions for signed JAR files
More information about the security-dev
mailing list