RFR: 8285827: Describe the keystore.pkcs12.legacy system property in the java.security file
Sean Mullan
mullan at openjdk.java.net
Thu Apr 28 20:02:38 UTC 2022
On Thu, 28 Apr 2022 19:54:36 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> src/java.base/share/conf/security/java.security line 1174:
>>
>>> 1172: # If the property is not set or empty, a default value will be used.
>>> 1173: #
>>> 1174: # For compatibility, the system property "keystore.pkcs12.legacy" can be set
>>
>> Was wondering if we should add why you might want to set this property, ex: "For compatibility with JDK or PKCS12 implementations that do not support the stronger algorithms ..."
>>
>> Compatibility with prior JDK versions should be less of an issue over time as these stronger settings and algs have been backported to prior JDKs.
>
> OpenSSL's help page shows
>
> -legacy Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs
>
> Can we also say "To work with legacy PKCS #12 files"?
But isn't it mostly an issue when creating new keystores and not reading existing ones? I would want to avoid users thinking that they had to set this in more cases than needed.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8452
More information about the security-dev
mailing list