RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v4]
Hai-May Chao
hchao at openjdk.org
Fri Oct 13 19:33:12 UTC 2023
On Fri, 13 Oct 2023 18:59:44 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Change made to configure max allowed cert chain lengths based on updated CSR
>
> src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java line 173:
>
>> 171: */
>> 172: if (maxCertificateChainLength > 0) {
>> 173: if (clientLen == 8) {
>
> If the user sets "jdk.tls.maxClientCertificateChainLength" precisely to 8 and you will ignore it?
Since 8 is the default for "jdk.tls.maxClientCertificateChainLength", it is going to be overridden when "jdk.tls.maxCertificateChainLength" is set. Setting "jdk.tls.maxClientCertificateChainLength" to 8 is treated as keeping the original default like no-op.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1358734387
More information about the security-dev
mailing list