RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v4]
Hai-May Chao
hchao at openjdk.org
Fri Oct 13 23:00:27 UTC 2023
On Fri, 13 Oct 2023 21:43:58 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Since 8 is the default for "jdk.tls.maxClientCertificateChainLength", it is going to be overridden when "jdk.tls.maxCertificateChainLength" is set. Setting "jdk.tls.maxClientCertificateChainLength" to 8 is treated as keeping the original default like no-op.
>
> If I understand correctly, "jdk.tls.maxClientCertificateChainLength" is meant to override "jdk.tls.maxClientCertificateChainLength" if both are defined. Then what would happen if user has specified `-Djdk.tls.maxClientCertificateChainLength=8 -Djdk.tls.maxCertificateChainLength=4`?
`jdk.tls.maxCertificateChainLength` will only override `jdk.tls.maxClientCertificateChainLength` if `jdk.tls.maxCertificateChainLength` is set AND `jdk.tls.maxClientCertificateChainLength` is using the default. For the case your provided here, `jdk.tls.maxClientCertificateChainLength` will be overridden to be 4 which is set by `jdk.tls.maxCertificateChainLength`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1358946093
More information about the security-dev
mailing list