Code review request, JDK-8168822, Document that algorithm restrictions do not apply to trusted certs

Xuelei Fan xuelei.fan at oracle.com
Thu Oct 27 00:37:02 UTC 2016


New webrev:
     http://cr.openjdk.java.net/~xuelei/8168822/webrev.01/

On 10/27/2016 8:34 AM, Wang Weijun wrote:
> One question: I thought for TLS, you check twice. First using
> jdk.tls.disabledAlgorithms on cipher suites etc, and second using
> jdk.certpath.disabledAlgorithms on certificates. Why is
> jdk.tls.disabledAlgorithms applied to cert at all?
>
jdk.tls.disabledAlgorithms also check certificates used during 
handshaking, not only cipher suites.

> Thanks
> Max
>
> On 10/27/2016 8:30 AM, Wang Weijun wrote:
>> I don't think this applies to jdk.jar.disabledAlgorithms. While the
>> private key algorithm and key size are determined by the certificate, I
>> think they are always checked even if the end-entity cert is trusted
>> (For example, a trusted self-signed cert).
>>
Make sense to me.  I removed the update on jdk.jar.disabledAlgorithms.

Thanks,
Xuelei

>> Thanks
>> Max
>>
>> On 10/27/2016 8:04 AM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Please review the simple fix:
>>>
>>>     http://cr.openjdk.java.net/~xuelei/8168822/webrev/
>>>
>>> Algorithm restrictions do not apply to trusted certs as the
>>> application or customer has made the decision to trust the "trusted
>>> cert".  However, this point is not explicit for general developers and
>>> users.  We'd better to clarify this point explicitly.
>>>
>>> In the update, I add a short note for each algorithm constraint security
>>> properties:
>>>
>>>    Note: Algorithm restrictions do not apply to trusted certificates.
>>>
>>> Doc only update, no new regression test.
>>>
>>> Thanks,
>>> Xuelei


More information about the security-dev mailing list