RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v2]
Hai-May Chao
hchao at openjdk.org
Wed Sep 6 20:02:11 UTC 2023
On Mon, 7 Aug 2023 17:23:11 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Set to default if a negative value is set
>
> src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java line 159:
>
>> 157: maxServerCertificateChainLength = (serverLen != null) ?
>> 158: serverLen : maxCertificateChainLength;
>> 159: }
>
> I wonder if we should take the opportunity here with these new properties as well as `jdk.tls.maxCertificateChainLength` to also equate negative numbers (and maybe zero) to be the default. Right now only property values that fail the internal parseInt conversion will evaluate to `null` and would be assigned the default I think. But a negative value I think would be taken as-is from the property. Should a negative max cert chain length get set to the default? If so, it might also make sense to give a warning about the offending value and note that it is being set to the default (similar to what `GetPropertyAction.privilegedGetTimeoutProp()` does).
> If you think this is worthwhile, the CSR should probably be updated to reflect that also.
Change made to set to the default when a negative value is set for these system properties. Updated CSR for this.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1317760469
More information about the security-dev
mailing list