Re: RFR: 3 security-libs release notes on keytool/krb5/etc

Fri, 24 Mar 2017 04:03:07 -0700 

I'll use "short key".

Thanks
Max

On 03/24/2017 06:26 PM, Bernd Eckenfels wrote:

I wonder if "weak key" should be replaced by "weak key length" or "short
key". It might otherwise imply key quality tests which are not carried out.

Gruss
Bernd
--
http://bernd.eckenfels.net
<https://urldefense.proofpoint.com/v2/url?u=http-3A__bernd.eckenfels.net&d=DwMFAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=L95YSg0eIcTu_shXWyN3XgC5kRlt5xJJuqogC6Ulqlk&m=nQPaZ9oNisvgXYmsVbzFkcB0qjPKYWTsWh0IIQtt1nw&s=yLFl1pk3TBMwqMqZMDE2e4d8rt9AVyNfUaC84QV3Lr0&e=>

------------------------------------------------------------------------
*From:* security-dev <security-dev-boun...@openjdk.java.net> on behalf
of Weijun Wang <weijun.w...@oracle.com>
*Sent:* Friday, March 24, 2017 2:12:01 AM
*To:* Security Dev OpenJDK
*Subject:* RFR: 3 security-libs release notes on keytool/krb5/etc

Hi All

Please take a review on 3 release notes. The content itself is pasted as
quotation below.

https://bugs.openjdk.java.net/browse/JDK-8176087
keytool now prints warnings when reading or generating cert/cert req
using weak algorithms


In all keytool functions, if the certificate/certificate request/CRL
that is working on (whether it be the input, the output, or an
existing object) is using a weak algorithm or key, a warning will be
printed out.

Precisely, an algorithm or a key is weak if it matches the value of
the jdk.certpath.disabledAlgorithms security property defined in
conf/security/java.security.


https://bugs.openjdk.java.net/browse/JDK-8174143
Deprecate security APIs that have been superseded


The classes and interfaces in the `java.security.acl` and
`javax.security.cert` packages have been superseded by replacements
for a long time and are deprecated in JDK 9. Two methods
`javax.net.ssl.HandshakeCompletedEvent.getPeerCertificateChain()` and
`javax.net.ssl.SSLSession.getPeerCertificateChain()` are also
deprecated since they return the
`javax.security.cert.X509Certificate` type.


https://bugs.openjdk.java.net/browse/JDK-8168635
rcache interop with krb5-1.15


The hash algorithm used in the Kerberos 5 replay cache file (rcache)
is updated from MD5 to SHA256 with this change. This is also the
algorithm used by MIT krb5-1.15. This change is interoperable with
earlier releases of MIT krb5, which means Kerberos 5 acceptors from
JDK 9 and MIT krb5-1.14 can share the same rcache file.

A new system property named jdk.krb5.rcache.useMD5 is introduced. If
the system property is set to "true", JDK 9 will still use the MD5
hash algorithm in rcache. This is useful when both of the following
conditions are true: 1) the system has a very coarse clock and has to
depend on hash values in replay attack detection, and 2)
interoperability with earlier versions of JDK or MIT krb5 for rcache
files is required. The default value of this system property is
"false".


Thanks
Max

Reply via email to