On 07/12/2017 07:45 AM, Sean Mullan wrote:
On 7/11/17 3:10 PM, Langer, Christoph wrote:
In any case, from what you are saying, I take that I can safely patch
our JDK distribution with this change without doing a bad thing to
security in general, wouldn't you agree?
Yes, I agree.
Also, note that you can probably also workaround this issue by adding a
specific "SHA1/RSA" constraint to the jdk.certpath.disabledAlgorithms
security property.
--Sean
The problem cannot be resolved by jdk.certpath.disabledAlgorithms.
Without using X509CertImpl, the non-standard "SHA1/RSA" is not converted
to "SHA1withRSA" The failing call is in the
SSLAlgorithConstraints.permit() checks by matching the algorithm name
with a list of standard supported algorithm names, and therefore fails.
Tony
