That change looks fine to me. Thanks.
> On 13 Mar 2017, at 14:57, Sean Mullan <[email protected]> wrote: > > Please review this configuration change to disable SHA-1 TLS server > certificates by default in JDK 9. In order to be disabled, the certificates > must chain back to trusted root certificate in the cacerts keystore that has > a " [jdk]" attribute appended to their alias name. > > --Sean > > diff --git a/src/java.base/share/conf/security/java.security > b/src/java.base/share/conf/security/java.security > --- a/src/java.base/share/conf/security/java.security > +++ b/src/java.base/share/conf/security/java.security > @@ -598,8 +598,8 @@ > # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 > # > # > -jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ > - DSA keySize < 1024, EC keySize < 224 > +jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ > + RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 > > # > # Algorithm restrictions for signed JAR files
