On Fri, 4 Aug 2023 17:30:06 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java line 159: > 157: maxServerCertificateChainLength = (serverLen != null) ? > 158: serverLen : maxCertificateChainLength; > 159: } I wonder if we should take the opportunity here with these new properties as well as `jdk.tls.maxCertificateChainLength` to also equate negative numbers (and maybe zero) to be the default. Right now only property values that fail the internal parseInt conversion will evaluate to `null` and would be assigned the default I think. But a negative value I think would be taken as-is from the property. Should a negative max cert chain length get set to the default? If so, it might also make sense to give a warning about the offending value and note that it is being set to the default (similar to what `GetPropertyAction.privilegedGetTimeoutProp()` does). If you think this is worthwhile, the CSR should probably be updated to reflect that also. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1286185634