RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v8]
Sean Mullan
mullan at openjdk.org
Wed Nov 1 14:16:16 UTC 2023
On Wed, 1 Nov 2023 13:58:01 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> I don't see a behavior change that conflicts with the CSR. I think it is a wording issue, let me suggest some improvements in another comment. There is no longer a default value for `jdk.tls.maxCertificateChainLength`. Where is it set to 8 in the code?
>
> When no system property is set, previously max inbound length is 10, now it's 8.
I think the wording of the comment is somewhat confusing because it is trying to explain the behavior of both properties together and the words "either" and "neither" may be hard to parse. I recommend separate comment blocks for each property. Here is a suggestion for the server side setting:
/*
* maxInboundClientCertChainLen is the maximum length of a client certificate
* chain accepted by a server. It is determined as follows:
* - If the jdk.tls.server.maxInboundCertificateChainLength system property
* is set and its value >= 0, it uses that value.
* - Otherwise, if the jdk.tls.maxCertificateChainLength system property is
* set and its value >= 0, it uses that value.
* - Otherwise it is set to a default value of 8.
*/
The client side setting would be similar.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1378856511
More information about the security-dev
mailing list