> MD5 algorithm is prohibited by TLSv1.3 RFC to be used in certificates: > > > Any endpoint receiving any certificate which it would need to > validate using any signature algorithm using an MD5 hash MUST abort > the handshake with a "bad_certificate" alert. > > > > The bug manifests itself when older versions of protocol are supported > besides TLSv1.3, such as TLSv1.2. When multiple protocol versions are > supported, both client and server calculate their respective SSLSessions's > "localSupportedSignAlgs" based on supported signature algorithms for all > active protocols and don't update it when negotiated protocol is established. > Then "localSupportedSignAlgs" list is used to validate certificate's > algorithm. > > While we disable "MD5withRSA" in java.security config, MD5 algorithm should > not be allowed in TLSv1.3 regardless of optional configuration. > > The underlying issue we are fixing here is not MD5-specific: when multiple > TLS versions are supported, we compute local supported algorithms for ALL > supported TLS versions. Thus MD5 and other algorithms that are supported in > TLSv1.2 are being used when actually TLSv1.3 ends up being the negotiated > protocol version.
Artur Barashev has updated the pull request incrementally with one additional commit since the last revision: Remove redundant updates ------------- Changes: - all: https://git.openjdk.org/jdk/pull/24425/files - new: https://git.openjdk.org/jdk/pull/24425/files/8e56207a..dd089425 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=24425&range=08 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=24425&range=07-08 Stats: 12 lines in 1 file changed: 0 ins; 12 del; 0 mod Patch: https://git.openjdk.org/jdk/pull/24425.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/24425/head:pull/24425 PR: https://git.openjdk.org/jdk/pull/24425