RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length
Jamil Nimeh
jnimeh at openjdk.org
Mon Aug 7 17:25:31 UTC 2023
On Fri, 4 Aug 2023 17:30:06 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank you.
src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java line 159:
> 157: maxServerCertificateChainLength = (serverLen != null) ?
> 158: serverLen : maxCertificateChainLength;
> 159: }
I wonder if we should take the opportunity here with these new properties as well as `jdk.tls.maxCertificateChainLength` to also equate negative numbers (and maybe zero) to be the default. Right now only property values that fail the internal parseInt conversion will evaluate to `null` and would be assigned the default I think. But a negative value I think would be taken as-is from the property. Should a negative max cert chain length get set to the default? If so, it might also make sense to give a warning about the offending value and note that it is being set to the default (similar to what `GetPropertyAction.privilegedGetTimeoutProp()` does).
If you think this is worthwhile, the CSR should probably be updated to reflect that also.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1286185634
More information about the security-dev
mailing list