Thanks, Peter.
cheers,
dalibor topic
On 22.01.2015 15:49, Peter Haraldson wrote:
I just want to confirm that this applies only to RedHat:s patched version.
In their release "java-1.7.0-openjdk-1.7.0.71-2.5.3.2.el6_6", which
basically is OpenJDK 7, they added a patch that included this rule.
I will turn to RedHat for further discussions.
Thanks for your help!
Regards
peter
Message: 1
Date: Mon, 19 Jan 2015 15:50:13 +0000
From: Se?n Coffey <sean.cof...@oracle.com>
To: Peter Haraldson <pe...@certitrade.net>,
"jdk7u-dev@openjdk.java.net" <jdk7u-dev@openjdk.java.net>
Cc: "security-...@openjdk.java.net" <security-...@openjdk.java.net>
Subject: Re: DSA with keylength > 1024 no longer accepted (jdk7u-dev
Digest, Vol 43, Issue 8)
Message-ID: <54bd27b5.4030...@oracle.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Peter,
the issue you reference isn't a problem in jdk7u. - for the Oracle JDK
at least. The code snippet your refer to is from jdk8 source code. The
key length restriction was initially introduced as a side effect of this
fix in JDK 8 https://bugs.openjdk.java.net/browse/JDK-7044060
That said, the version string you pasted makes it look like you're
running IcedTea from Redhat. My earlier assumptions were that you were
running OpenJDK binary based on the jdk7u sources
(http://hg.openjdk.java.net/jdk7u/jdk7u/jdk) - If IcedTea has ported
JDK-7044060 to their code base, you might have to contact them. Best to
follow up on distro-pkg-...@openjdk.java.net
regards,
Sean.
On 19/01/15 15:21, Peter Haraldson wrote:
Thanks, I have now subscribed to security-dev as well. To keep the
thread intact I still reply here.
Our java version would be JDK 7 I suppose - reported java version
"1.7.0_65".
I checked your link, and I can see this issue will be resolved in JDK
8 & 9, but I could not find anything about this issue with JDK 7.
If it's not to be fixed in JDK 7 then we will need to upgrade.
Kind regards
Peter
Message: 3
Date: Thu, 15 Jan 2015 10:28:46 +0000
From: Se?n Coffey <sean.cof...@oracle.com>
To: Peter Haraldson <pe...@certitrade.net>
Cc: Security OpenJDK <security-...@openjdk.java.net>
Subject: Re: DSA with keylength > 1024 no longer accepted
Message-ID: <54b7965e.8010...@oracle.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Hi Peter,
security-dev is best mailing list to discuss this issue, I'm cc'ing
that
list and bcc'ing off jdk7u-dev.
Are you hitting this issue with JDK 8 and later ? (I'll assume so) -
You've hit https://bugs.openjdk.java.net/browse/JDK-8039921
To aid compatibility, it's been decided to relax that restriction from
8u60 and later. See comments in bug report around use of SHA1 and SHA2
and the length of keys that should be used in each operation.
Hope that helps.
regards,
Sean.
On 15/01/2015 10:10, Peter Haraldson wrote:
Hi
First, I'm not quite sure if this is the correct list for this issue,
please excuse & correct me if it's not.
Our problem is that in latest openjdk a check is added that makes our
certificates with DSA & Keylength 2048 unusable. In file
"sun.security.provider.DSA" line 484-489:
protected void checkKey(DSAParams params) throws
InvalidKeyException {
int valueL = params.getP().bitLength();
if (valueL > 1024) {
throw new InvalidKeyException("Key is too long for
this algorithm");
}
}
This is new, these certificates worked fine before. I don't know the
reason for not accepting longer keys than 1024, not allowing too short
keys would make sense to me but not allowing long keys?
We need to find a permanent solution, as for now we can't update our
production servers because of this. We have several certificates
issued by MasterCard, it is a very tedious job to change them all.
Is there a way we could bypass this, could this check be abandoned in
next update?
Our system:
java version "1.7.0_65" (not affected)
OpenJDK Runtime Environment (rhel-2.5.1.2.el6_5-x86_64 u65-b17)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)
OS: RedHat 6.6
Regards Peter
--
<http://www.oracle.com> Dalibor Topic | Principal Product Manager
Phone: +494089091214 <tel:+494089091214> | Mobile: +491737185961
<tel:+491737185961>
ORACLE Deutschland B.V. & Co. KG | Kühnehöfe 5 | 22761 Hamburg
ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher
<http://www.oracle.com/commitment> Oracle is committed to developing
practices and products that help protect the environment
