RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v6]

Xue-Lei Andrew Fan xuelei at openjdk.org
Wed Oct 25 17:43:32 UTC 2023 

On Fri, 20 Oct 2023 17:19:52 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> Hai-May Chao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains six additional commits since the last revision:
>> 
>>  - Merge
>>  - Override the client/server defaults
>>  - Change made to configure max allowed cert chain lengths based on updated CSR
>>  - Merge
>>  - Set to default if a negative value is set
>>  - 8311596: Add separate system properties for TLS server and client for maximum chain length
>
> I was wondering, if it is easier to learn and remember/search by following the naming style "jdk.tls.client.XXX" or "jdk.tls.server.XXX" in SunJSSE provider?

> @XueleiFan The current properties named` jdk.tls.client.*` and `jdk.tls.server.*` apply to settings either on the client or the server, so we'd have to rename the properties here. My suggestion is to:
> 
> * Change `jdk.tls.maxServerCertificateChainLength` to `jdk.tls.client.maxAcceptedCertificateChainLength`
> * Change `jdk.tls.maxClientCertificateChainLength` to `jdk.tls.server.maxAcceptedCertificateChainLength`
> 
> Thanks!

For the name "jdk.tls.maxServerCertificateChainLength", it is not clear to me which side, client or server, the property should be applied to.   It could also mean that server can only send out certification with this limitation.

For the name `jdk.tls.client.maxAcceptedCertificateChainLength`, it could be confused to parse the word "accepted".  It could mean that the accepted cert-chain length for sending out certificates.

Maybe, you can have a try with "jdk.tls.client.maxServerCertificateChainLength", which means for client side, the server certificate chain length (inbound) is limited.  Or if you want to simplify the property name, you can have a try for ""jdk.tls.client.maxInboundCertificateChainLength"".

-------------

PR Comment: https://git.openjdk.org/jdk/pull/15163#issuecomment-1779753163

More information about the security-dev mailing list