Code review request, JDK-8168822, Document that algorithm restrictions do not apply to trusted certs

Wang Weijun at
Thu Oct 27 00:34:08 UTC 2016

One question: I thought for TLS, you check twice. First using 
jdk.tls.disabledAlgorithms on cipher suites etc, and second using 
jdk.certpath.disabledAlgorithms on certificates. Why is 
jdk.tls.disabledAlgorithms applied to cert at all?


On 10/27/2016 8:30 AM, Wang Weijun wrote:
> I don't think this applies to jdk.jar.disabledAlgorithms. While the
> private key algorithm and key size are determined by the certificate, I
> think they are always checked even if the end-entity cert is trusted
> (For example, a trusted self-signed cert).
> Thanks
> Max
> On 10/27/2016 8:04 AM, Xuelei Fan wrote:
>> Hi,
>> Please review the simple fix:
>> Algorithm restrictions do not apply to trusted certs as the
>> application or customer has made the decision to trust the "trusted
>> cert".  However, this point is not explicit for general developers and
>> users.  We'd better to clarify this point explicitly.
>> In the update, I add a short note for each algorithm constraint security
>> properties:
>>    Note: Algorithm restrictions do not apply to trusted certificates.
>> Doc only update, no new regression test.
>> Thanks,
>> Xuelei

More information about the security-dev mailing list