On 02/24/2016 10:14 AM, Emmanuel Lécharny wrote: > Le 24/02/16 09:23, Stefan Seelmann a écrit : >> On 02/22/2016 10:29 AM, Kiran Ayyagari wrote: >>> On Mon, Feb 22, 2016 at 2:44 PM, Stefan Seelmann <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> after update to latest JDK (1.8.0_74, 1.7.0_95) some tests in >>>> server-integ fail. I think the cause is that since 1.8.0_71 MD5 is >>>> disabled[1]. >>>> >>>> I think we just need to change the algorithms used when generating the >>>> certificates, but I don't find the place in the code where that can be >>>> done. Any pointers? >>>> >>> the only class which we use for generating the default certificate is >>> TlsKeyGenerator.java >> Thanks Kiran for the pointer. >> >> It turned out the reason is not MD5 (we use SHA1), but the key size. In >> TlsKeyGenerator the KEY_SIZE is set to 512, if I icrease to 1024 the >> tests pass. >> >> Would be an easy fix, however there is a comment above KEY_SIZE: >> >> ... however note to pass export restrictions we must use a key >> size of* 512 or less here as the default ... >> ... This is required to classify ApacheDS in the ECCN 5D002 >> category. Please see the following page for more information: >> http://www.apache.org/dev/crypto.html ... >> >> That page still states 512 bits, but also includes a note that the law >> was changes in 2010, but it seems ASF Legal didn't update the page. >> >> So are we still bound to the 512 bits restriction? Or can we just change >> it to 1024 (or even higher)? Or should we just ask Legal? > > I'll check the page. I remember having had to deal with the ECCN > declaration for Directory 10 years ago (sort of), and it was a kind of a > pain, but a necessary one.
As I understand the page the 512 bits restriction it still true. What I now did is to use 1024 bit *only* for tests in FrameworkRunner class [1]. The key generated as server startup still has 512 bit. Kind Regards, Stefan [1] http://svn.apache.org/viewvc?rev=1749199&view=rev
