RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v8]
Xue-Lei Andrew Fan
xuelei at openjdk.org
Wed Nov 1 07:38:13 UTC 2023
On Mon, 30 Oct 2023 21:53:44 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> I agree that wording is more clear. We should also update the RN with that wording.
>
> This section of comments was taken from the CSR. I updated the comments as follows. If it looks fine, I will update the related doc. Thanks!
>
> /*
> * If either jdk.tls.server.maxInboundCertificateChainLength or
> * jdk.tls.client.maxInboundCertificateChainLength is set, it will
> * override jdk.tls.maxCertificateChainLength, regardless of whether
> * jdk.tls.maxCertificateChainLength is set or not.
> * If neither jdk.tls.server.maxInboundCertificateChainLength nor
> * jdk.tls.client.maxInboundCertificateChainLength is set, the behavior
> * depends on the setting of jdk.tls.maxCertificateChainLength. If
> * jdk.tls.maxCertificateChainLength is set, it falls back to that
> * value; otherwise, it defaults to 8 for
> * jdk.tls.server.maxInboundCertificateChainLength
> * and 10 for jdk.tls.client.maxInboundCertificateChainLength.
> * Usesrs can independently set either
> * jdk.tls.server.maxInboundCertificateChainLength or
> * jdk.tls.client.maxInboundCertificateChainLength.
> */
Sorry, I did not get time to review this behavior update.
> This section of comments was taken from the CSR. I updated the comments as follows. If it looks fine, I will update the related doc. Thanks!
>
> ```
> /*
> * If either jdk.tls.server.maxInboundCertificateChainLength or
> * jdk.tls.client.maxInboundCertificateChainLength is set, it will
> * override jdk.tls.maxCertificateChainLength, regardless of whether
> * jdk.tls.maxCertificateChainLength is set or not.
I'm not sure the statement is clear enough. I think there are two points that need to clarify. The 1st one is that there is a default value of jdk.tls.maxCertificateChainLength, which is 10. The 2nd one is that jdk.tls.maxCertificateChainLength works for both client and server mode. jdk.tls.server.maxInboundCertificateChainLength works on server mode, and it does not work for client mode, and therefore it cannot override client mode behavior for jdk.tls.maxCertificateChainLength. The same for jdk.tls.client.maxInboundCertificateChainLength.
To be clear, the release note or the comment might be placed in different code block like:
/* If jdk.tls.server.maxInboundCertificateChainLength is set, it will override jdk.tls.maxCertificateChainLength behavior for server side.
*/
Integer inboundClientLen = ...
/* If jdk.tls.client.maxInboundCertificateChainLength is set, it will override jdk.tls.maxCertificateChainLength behavior for client side.
*/
Integer inboundServerLen = GetIntegerAction.privilegedGetProperty(
> * If neither jdk.tls.server.maxInboundCertificateChainLength nor
> * jdk.tls.client.maxInboundCertificateChainLength is set, the behavior
> * depends on the setting of jdk.tls.maxCertificateChainLength. If
> * jdk.tls.maxCertificateChainLength is set, it falls back to that
> * value; otherwise, it defaults to 8 for
> * jdk.tls.server.maxInboundCertificateChainLength
Previously, the jdk.tls.maxCertificateChainLength default value is 10. Now it is changed to 8. This is a behavior change, please document it in release note, or just use 10 in the implementation.
> * and 10 for jdk.tls.client.maxInboundCertificateChainLength.
> * Usesrs can independently set either
> * jdk.tls.server.maxInboundCertificateChainLength or
> * jdk.tls.client.maxInboundCertificateChainLength.
> */
> ```
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1378477689
More information about the security-dev
mailing list