On 1/10/2014 6:34 AM, Sean Mullan wrote:
The code change looks fine. My main concern is the number of tests that
have been converted to run in othervm which will make the tests run
slower. Did you explore how much effort it would be to convert some of
the test certificates to use stronger algorithms?
I did think about to change the certificates from MD5 to SHA-1 or SHA-2.
But it is not a small effort, for some cases it is not doable. I would
rather open a new bug to remove the test dependency on MD5 signature if
possible. What do you think?
Also, I noticed many of the tests are using ocsp security properties.
These tests can now use the PKIXRevocationChecker API added in JDK 8
which won't put a dependency on security properties which require them
to be run with othervm.
We may backport this fix. Nice to address it in another new bug for JDK
8/9.
Thanks,
Xuelei
--Sean
On 01/05/2014 10:08 PM, Xuelei Fan wrote:
Hi,
Please review this update for JDK 9.
webrev: http://cr.openjdk.java.net/~xuelei/8030829/webrev.00/
Per the spec of RFC 6151, MD5 must not be used for digital signatures
where collision resistance is required. Adding MD5 to
jdk.certpath.disabledAlgorithms security property can prevent the usage
of MD5 as digital signature algorithm during X.509 certificate
operations.
It is not necessary to stop using HMAC-MD5 per RFC 6151. TLS is making
use of HMAC-MD5. It is not necessary to stop HMAC-MD5 in JSSE at
present.
With this update, there are compatibility issues with those applications
still using MD5 signed certificate. Please upgrade the weak certificate
ASAP.
Thanks,
Xuelei
