RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v4]
Sean Mullan
mullan at openjdk.org
Mon Oct 16 13:35:25 UTC 2023
On Fri, 13 Oct 2023 23:15:15 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> `jdk.tls.maxCertificateChainLength` will only override `jdk.tls.maxClientCertificateChainLength` if `jdk.tls.maxCertificateChainLength` is set AND `jdk.tls.maxClientCertificateChainLength` is using the default. For the case your provided here, `jdk.tls.maxClientCertificateChainLength` will be overridden to be 4 which is set by `jdk.tls.maxCertificateChainLength`.
>
> That's not my understanding. Since `jdk.tls.maxClientCertificateChainLength` is explicitly set on the command line you should honor it.
Yes, I agree that if the application sets `jdk.tls.maxClientCertificateChainLength` or `jdk.tls.maxServerCertificateChainLength`, it should always take precedence even if the specified value is the same as the default. This would also preserve application behavior if one day we want to change the default to something else.
You will need to first see if these properties are set before assigning the default value.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1360672720
More information about the security-dev
mailing list