Different RSA keySize setting for root certifcates
Benjamin Marwell
bmarwell at apache.org
Fri Nov 21 07:34:56 UTC 2025
Dear security-dev list members!
Recently I was thinking I could raise the RSA restrictions to >= 4096,
i.e. setting something like this:
jdk.tls.disabledAlgorithms=..., RSA keySize < 4096
However, while all TLS server certificates do have RSA 4096 (or EC)
nowadays, root certificates are another game.
They often still use RSA 2048, and this is perfectly fine, according to
most comments by security researchers I have seen.
So, applying this setting will lead to most server connections being
rejected.
Now, I wonder if we could have two settings.
We already have `jdk.security.caDistrustPolicies`.
Maybe we could have `jdk.tls.disabledCaAlgorights` which defaults to
`jdk.tls.disabledAlgorithms` if not specified.
Or maybe something along those lines.
This way, we could enforce RSA4096 server connections via TLS,
but still allow those certs to be signed with a root CA that still uses
RSA2048.
I know, this is of limited use in most environments, but I still wanted
to introduce you to this idea.
Please let me know if this is a sensible request.
Thanks!
- Ben
More information about the security-dev
mailing list