RFR: JDK-8176503: Disable SHA-1 TLS Server Certificates

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RFR: JDK-8176503: Disable SHA-1 TLS Server Certificates

Sean Mullan
Please review this configuration change to disable SHA-1 TLS server
certificates by default in JDK 9. In order to be disabled, the
certificates must chain back to trusted root certificate in the cacerts
keystore that has a " [jdk]" attribute appended to their alias name.

--Sean

diff --git a/src/java.base/share/conf/security/java.security
b/src/java.base/share/conf/security/java.security
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -598,8 +598,8 @@
  #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
  #
  #
-jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
-    DSA keySize < 1024, EC keySize < 224
+jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
+    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

  #
  # Algorithm restrictions for signed JAR files
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFR: JDK-8176503: Disable SHA-1 TLS Server Certificates

Vincent Ryan
That change looks fine to me.
Thanks.


> On 13 Mar 2017, at 14:57, Sean Mullan <[hidden email]> wrote:
>
> Please review this configuration change to disable SHA-1 TLS server certificates by default in JDK 9. In order to be disabled, the certificates must chain back to trusted root certificate in the cacerts keystore that has a " [jdk]" attribute appended to their alias name.
>
> --Sean
>
> diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
> --- a/src/java.base/share/conf/security/java.security
> +++ b/src/java.base/share/conf/security/java.security
> @@ -598,8 +598,8 @@
> #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
> #
> #
> -jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
> -    DSA keySize < 1024, EC keySize < 224
> +jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
> +    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
>
> #
> # Algorithm restrictions for signed JAR files

Loading...