RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v6]
Hai-May Chao
hchao at openjdk.org
Tue Oct 24 16:36:42 UTC 2023
On Fri, 20 Oct 2023 17:19:52 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
>> Hai-May Chao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains six additional commits since the last revision:
>>
>> - Merge
>> - Override the client/server defaults
>> - Change made to configure max allowed cert chain lengths based on updated CSR
>> - Merge
>> - Set to default if a negative value is set
>> - 8311596: Add separate system properties for TLS server and client for maximum chain length
>
> I was wondering, if it is easier to learn and remember/search by following the naming style "jdk.tls.client.XXX" or "jdk.tls.server.XXX" in SunJSSE provider?
@XueleiFan The current properties named` jdk.tls.client.*` and `jdk.tls.server.*` apply to settings either on the client or the server, so we'd have to rename the properties here. My suggestion is to:
- Change `jdk.tls.maxServerCertificateChainLength` to `jdk.tls.client.maxAcceptedCertificateChainLength`
- Change `jdk.tls.maxClientCertificateChainLength` to `jdk.tls.server.maxAcceptedCertificateChainLength`
Thanks!
-------------
PR Comment: https://git.openjdk.org/jdk/pull/15163#issuecomment-1777609067
More information about the security-dev
mailing list