RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v8]
Sean Mullan
mullan at openjdk.org
Tue Nov 7 20:30:10 UTC 2023
On Tue, 7 Nov 2023 07:40:19 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
>> Yes, I can place the comments in the code blocks for the server-side setting and client-side setting, respectively.
>> @XueleiFan Any feedback before I'm making this comment change?
>> I will also update the release note accordingly. Thanks!
>
> I'm not sure if there is a clear reason to change the default value from 10 to 8. I'm fine if you want to keep to use value 10 for less compatibility issues. Otherwise, I have no more comment. Thanks!
>
>> Yes, I can place the comments in the code blocks for the server-side setting and client-side setting, respectively. @XueleiFan Any feedback before I'm making this comment change? I will also update the release note accordingly. Thanks!
The choice of 8 for the client is mostly based on different processing requirements and use cases for TLS client vs server certificate chains. If we see evidence that 8 is too low, we can always consider adjusting it.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1385524607
More information about the security-dev
mailing list