RFR: 3 security-libs release notes on keytool/krb5/etc
Bernd Eckenfels
ecki at zusammenkunft.net
Fri Mar 24 10:26:31 UTC 2017
I wonder if "weak key" should be replaced by "weak key length" or "short key". It might otherwise imply key quality tests which are not carried out.
Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
From: security-dev <security-dev-bounces at openjdk.java.net> on behalf of Weijun Wang <weijun.wang at oracle.com>
Sent: Friday, March 24, 2017 2:12:01 AM
To: Security Dev OpenJDK
Subject: RFR: 3 security-libs release notes on keytool/krb5/etc
Hi All
Please take a review on 3 release notes. The content itself is pasted as
quotation below.
https://bugs.openjdk.java.net/browse/JDK-8176087
keytool now prints warnings when reading or generating cert/cert req
using weak algorithms
> In all keytool functions, if the certificate/certificate request/CRL
> that is working on (whether it be the input, the output, or an
> existing object) is using a weak algorithm or key, a warning will be
> printed out.
>
> Precisely, an algorithm or a key is weak if it matches the value of
> the jdk.certpath.disabledAlgorithms security property defined in
> conf/security/java.security.
https://bugs.openjdk.java.net/browse/JDK-8174143
Deprecate security APIs that have been superseded
> The classes and interfaces in the `java.security.acl` and
> `javax.security.cert` packages have been superseded by replacements
> for a long time and are deprecated in JDK 9. Two methods
> `javax.net.ssl.HandshakeCompletedEvent.getPeerCertificateChain()` and
> `javax.net.ssl.SSLSession.getPeerCertificateChain()` are also
> deprecated since they return the
> `javax.security.cert.X509Certificate` type.
https://bugs.openjdk.java.net/browse/JDK-8168635
rcache interop with krb5-1.15
> The hash algorithm used in the Kerberos 5 replay cache file (rcache)
> is updated from MD5 to SHA256 with this change. This is also the
> algorithm used by MIT krb5-1.15. This change is interoperable with
> earlier releases of MIT krb5, which means Kerberos 5 acceptors from
> JDK 9 and MIT krb5-1.14 can share the same rcache file.
>
> A new system property named jdk.krb5.rcache.useMD5 is introduced. If
> the system property is set to "true", JDK 9 will still use the MD5
> hash algorithm in rcache. This is useful when both of the following
> conditions are true: 1) the system has a very coarse clock and has to
> depend on hash values in replay attack detection, and 2)
> interoperability with earlier versions of JDK or MIT krb5 for rcache
> files is required. The default value of this system property is
> "false".
Thanks
Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20170324/b1bfec24/attachment.htm>
More information about the security-dev
mailing list