Tony,
I think we should log a JDK 8u bug for this issue if one doesn't already
exist. If the buggy SigAlgName was allowed in 8u updates already, then
it should be continued to be allowed for compatibility reasons IMO.
There might be time to revert that change in 8u152.
For 9, then maybe we can document the minor behavioural change that'
been introduced.
Regards,
Sean.
On 14/07/17 05:25, Anthony Scarpino wrote:
On 07/12/2017 07:45 AM, Sean Mullan wrote:
On 7/11/17 3:10 PM, Langer, Christoph wrote:
In any case, from what you are saying, I take that I can safely
patch our JDK distribution with this change without doing a bad
thing to security in general, wouldn't you agree?
Yes, I agree.
Also, note that you can probably also workaround this issue by adding
a specific "SHA1/RSA" constraint to the
jdk.certpath.disabledAlgorithms security property.
--Sean
The problem cannot be resolved by jdk.certpath.disabledAlgorithms.
Without using X509CertImpl, the non-standard "SHA1/RSA" is not
converted to "SHA1withRSA" The failing call is in the
SSLAlgorithConstraints.permit() checks by matching the algorithm name
with a list of standard supported algorithm names, and therefore fails.
Tony
