RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v8]
Hai-May Chao
hchao at openjdk.org
Mon Nov 6 20:51:40 UTC 2023
On Wed, 1 Nov 2023 14:13:32 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> When no system property is set, previously max inbound length is 10, now it's 8.
>
> I think the wording of the comment is somewhat confusing because it is trying to explain the behavior of both properties together and the words "either" and "neither" may be hard to parse. I recommend separate comment blocks for each property. Here is a suggestion for the server side setting:
>
>
> /*
> * maxInboundClientCertChainLen is the maximum length of a client certificate
> * chain accepted by a server. It is determined as follows:
> * - If the jdk.tls.server.maxInboundCertificateChainLength system property
> * is set and its value >= 0, it uses that value.
> * - Otherwise, if the jdk.tls.maxCertificateChainLength system property is
> * set and its value >= 0, it uses that value.
> * - Otherwise it is set to a default value of 8.
> */
>
>
> The client side setting would be similar.
Yes, I can place the comments in the code blocks for the server-side setting and client-side setting, respectively.
@XueleiFan Any feedback before I'm making this comment change?
I will also update the release note accordingly. Thanks!
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1383967102
More information about the security-dev
mailing list