Le 24/02/16 09:23, Stefan Seelmann a écrit : > On 02/22/2016 10:29 AM, Kiran Ayyagari wrote: >> On Mon, Feb 22, 2016 at 2:44 PM, Stefan Seelmann <m...@stefan-seelmann.de> >> wrote: >> >>> Hi, >>> >>> after update to latest JDK (1.8.0_74, 1.7.0_95) some tests in >>> server-integ fail. I think the cause is that since 1.8.0_71 MD5 is >>> disabled[1]. >>> >>> I think we just need to change the algorithms used when generating the >>> certificates, but I don't find the place in the code where that can be >>> done. Any pointers? >>> >> the only class which we use for generating the default certificate is >> TlsKeyGenerator.java > Thanks Kiran for the pointer. > > It turned out the reason is not MD5 (we use SHA1), but the key size. In > TlsKeyGenerator the KEY_SIZE is set to 512, if I icrease to 1024 the > tests pass. > > Would be an easy fix, however there is a comment above KEY_SIZE: > > ... however note to pass export restrictions we must use a key > size of* 512 or less here as the default ... > ... This is required to classify ApacheDS in the ECCN 5D002 > category. Please see the following page for more information: > http://www.apache.org/dev/crypto.html ... > > That page still states 512 bits, but also includes a note that the law > was changes in 2010, but it seems ASF Legal didn't update the page. > > So are we still bound to the 512 bits restriction? Or can we just change > it to 1024 (or even higher)? Or should we just ask Legal?
I'll check the page. I remember having had to deal with the ECCN declaration for Directory 10 years ago (sort of), and it was a kind of a pain, but a necessary one. I'll keep you posted.
