RFR: JDK-8176503: Disable SHA-1 TLS Server Certificates (original) (raw)

Vincent Ryan vincent.x.ryan at oracle.com
Mon Mar 13 15:52:15 UTC 2017

• Previous message (by thread): RFR: JDK-8176503: Disable SHA-1 TLS Server Certificates
• Next message (by thread): [10] RFR 8175251: Failed to load RSA private key from pkcs12
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That change looks fine to me. Thanks.

On 13 Mar 2017, at 14:57, Sean Mullan <sean.mullan at oracle.com> wrote:

Please review this configuration change to disable SHA-1 TLS server certificates by default in JDK 9. In order to be disabled, the certificates must chain back to trusted root certificate in the cacerts keystore that has a " [jdk]" attribute appended to their alias name. --Sean diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -598,8 +598,8 @@ # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # # _-jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, _ - DSA keySize < 1024, EC keySize < 224 _+jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, _ + RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 # # Algorithm restrictions for signed JAR files

• Previous message (by thread): RFR: JDK-8176503: Disable SHA-1 TLS Server Certificates
• Next message (by thread): [10] RFR 8175251: Failed to load RSA private key from pkcs12
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the security-dev mailing list