On Fri, 4 Mar 2022 12:29:28 GMT, Michael McMahon <micha...@openjdk.org> wrote:
> > So, maybe, we could have a 2nd net property with the default disabled > > algorithms and in net.properties we identify MD5 only for now. Users could > > add to that list if they want or even specify it on the command line. I > > think it's potentially confusing, but maybe there is a case for adding to > > the disabled list. I need to think about a way to do this without subvertng > > the point about making the user explicitly opt in. > > Thinking about it again, I wonder if we should just deprecate SHA-1 at the > same time. I think there will be less compatibility impact than with MD5, and > it's basically broken as well. I don't see a reason to opt out of other > algorithms at this time. I see - maybe we should have a security property identifying the list of algorithm that are disabled, and then a system property to reenable them? ------------- PR: https://git.openjdk.java.net/jdk/pull/7688