RFR: 8285827: Describe the keystore.pkcs12.legacy system property in the java.security file

Weijun Wang weijun at openjdk.java.net
Thu Apr 28 19:57:42 UTC 2022


On Thu, 28 Apr 2022 19:48:38 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> We added a new system property back in https://bugs.openjdk.java.net/browse/JDK-8153005 but it's better to describe it in the `java.security` file as well.
>> 
>> Please review the text. I especially added the last sentence so that people won't set `-Dkeystore.pkcs12.legacy=false`.
>
> src/java.base/share/conf/security/java.security line 1174:
> 
>> 1172: # If the property is not set or empty, a default value will be used.
>> 1173: #
>> 1174: # For compatibility, the system property "keystore.pkcs12.legacy" can be set
> 
> Was wondering if we should add why you might want to set this property, ex: "For compatibility with JDK or PKCS12 implementations that do not support the stronger algorithms ..." 
> 
> Compatibility with prior JDK versions should be less of an issue over time as these stronger settings and algs have been backported to prior JDKs.

OpenSSL's help page shows

 -legacy             Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs

Can we also say "To work with legacy PKCS #12 files"?

-------------

PR: https://git.openjdk.java.net/jdk/pull/8452


More information about the security-dev mailing list