New webrev:
http://cr.openjdk.java.net/~xuelei/8168822/webrev.01/
On 10/27/2016 8:34 AM, Wang Weijun wrote:
One question: I thought for TLS, you check twice. First using
jdk.tls.disabledAlgorithms on cipher suites etc, and second using
jdk.certpath.disabledAlgorithms on certificates. Why is
jdk.tls.disabledAlgorithms applied to cert at all?
jdk.tls.disabledAlgorithms also check certificates used during
handshaking, not only cipher suites.
Thanks
Max
On 10/27/2016 8:30 AM, Wang Weijun wrote:
I don't think this applies to jdk.jar.disabledAlgorithms. While the
private key algorithm and key size are determined by the certificate, I
think they are always checked even if the end-entity cert is trusted
(For example, a trusted self-signed cert).
Make sense to me. I removed the update on jdk.jar.disabledAlgorithms.
Thanks,
Xuelei
Thanks
Max
On 10/27/2016 8:04 AM, Xuelei Fan wrote:
Hi,
Please review the simple fix:
http://cr.openjdk.java.net/~xuelei/8168822/webrev/
Algorithm restrictions do not apply to trusted certs as the
application or customer has made the decision to trust the "trusted
cert". However, this point is not explicit for general developers and
users. We'd better to clarify this point explicitly.
In the update, I add a short note for each algorithm constraint security
properties:
Note: Algorithm restrictions do not apply to trusted certificates.
Doc only update, no new regression test.
Thanks,
Xuelei
