RFR: 8285827: Describe the keystore.pkcs12.legacy system property in the java.security file
Weijun Wang
weijun at openjdk.java.net
Thu Apr 28 19:57:42 UTC 2022
On Thu, 28 Apr 2022 19:48:38 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> We added a new system property back in https://bugs.openjdk.java.net/browse/JDK-8153005 but it's better to describe it in the `java.security` file as well.
>>
>> Please review the text. I especially added the last sentence so that people won't set `-Dkeystore.pkcs12.legacy=false`.
>
> src/java.base/share/conf/security/java.security line 1174:
>
>> 1172: # If the property is not set or empty, a default value will be used.
>> 1173: #
>> 1174: # For compatibility, the system property "keystore.pkcs12.legacy" can be set
>
> Was wondering if we should add why you might want to set this property, ex: "For compatibility with JDK or PKCS12 implementations that do not support the stronger algorithms ..."
>
> Compatibility with prior JDK versions should be less of an issue over time as these stronger settings and algs have been backported to prior JDKs.
OpenSSL's help page shows
-legacy Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs
Can we also say "To work with legacy PKCS #12 files"?
-------------
PR: https://git.openjdk.java.net/jdk/pull/8452
More information about the security-dev
mailing list