On Thu, 28 Apr 2022 19:54:36 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> src/java.base/share/conf/security/java.security line 1174: >> >>> 1172: # If the property is not set or empty, a default value will be used. >>> 1173: # >>> 1174: # For compatibility, the system property "keystore.pkcs12.legacy" can >>> be set >> >> Was wondering if we should add why you might want to set this property, ex: >> "For compatibility with JDK or PKCS12 implementations that do not support >> the stronger algorithms ..." >> >> Compatibility with prior JDK versions should be less of an issue over time >> as these stronger settings and algs have been backported to prior JDKs. > > OpenSSL's help page shows > > -legacy Use legacy encryption: 3DES_CBC for keys, RC2_CBC for > certs > > Can we also say "To work with legacy PKCS #12 files"? But isn't it mostly an issue when creating new keystores and not reading existing ones? I would want to avoid users thinking that they had to set this in more cases than needed. ------------- PR: https://git.openjdk.java.net/jdk/pull/8452