Code review request, JDK-8168822, Document that algorithm restrictions do not apply to trusted certs
Wang Weijun
weijun.wang at oracle.com
Thu Oct 27 00:34:08 UTC 2016
One question: I thought for TLS, you check twice. First using
jdk.tls.disabledAlgorithms on cipher suites etc, and second using
jdk.certpath.disabledAlgorithms on certificates. Why is
jdk.tls.disabledAlgorithms applied to cert at all?
Thanks
Max
On 10/27/2016 8:30 AM, Wang Weijun wrote:
> I don't think this applies to jdk.jar.disabledAlgorithms. While the
> private key algorithm and key size are determined by the certificate, I
> think they are always checked even if the end-entity cert is trusted
> (For example, a trusted self-signed cert).
>
> Thanks
> Max
>
> On 10/27/2016 8:04 AM, Xuelei Fan wrote:
>> Hi,
>>
>> Please review the simple fix:
>>
>> http://cr.openjdk.java.net/~xuelei/8168822/webrev/
>>
>> Algorithm restrictions do not apply to trusted certs as the
>> application or customer has made the decision to trust the "trusted
>> cert". However, this point is not explicit for general developers and
>> users. We'd better to clarify this point explicitly.
>>
>> In the update, I add a short note for each algorithm constraint security
>> properties:
>>
>> Note: Algorithm restrictions do not apply to trusted certificates.
>>
>> Doc only update, no new regression test.
>>
>> Thanks,
>> Xuelei
More information about the security-dev
mailing list