RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v8]
Xue-Lei Andrew Fan
xuelei at openjdk.org
Wed Nov 8 04:21:06 UTC 2023
On Tue, 7 Nov 2023 20:27:06 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> I'm not sure if there is a clear reason to change the default value from 10 to 8. I'm fine if you want to keep to use value 10 for less compatibility issues. Otherwise, I have no more comment. Thanks!
>>
>>> Yes, I can place the comments in the code blocks for the server-side setting and client-side setting, respectively. @XueleiFan Any feedback before I'm making this comment change? I will also update the release note accordingly. Thanks!
>
> The choice of 8 for the client is mostly based on different processing requirements and use cases for TLS client vs server certificate chains. If we see evidence that 8 is too low, we can always consider adjusting it.
I'm not sure if the number 8 or 10 really make a good difference in practice. No matter 8 or 10, if customers need lower value, they can always consider adjusting it. My concern is mainly about compatibility issues. If you want to keep the behavior changes, as there is potential compatibility issue, please feel free to describe the behavior change in release note and CSR if you would like.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1385958137
More information about the security-dev
mailing list