On Wed, 16 Apr 2025 14:57:20 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> MD5 algorithm is prohibited by TLSv1.3 RFC to be used in certificates: >> >> >> Any endpoint receiving any certificate which it would need to >> validate using any signature algorithm using an MD5 hash MUST abort >> the handshake with a "bad_certificate" alert. >> >> >> >> The bug manifests itself when older versions of protocol are supported >> besides TLSv1.3, such as TLSv1.2. When multiple protocol versions are >> supported, both client and server calculate their respective SSLSessions's >> "localSupportedSignAlgs" based on supported signature algorithms for all >> active protocols and don't update it when negotiated protocol is >> established. Then "localSupportedSignAlgs" list is used to validate >> certificate's algorithm. >> >> While we disable "MD5withRSA" in java.security config, MD5 algorithm should >> not be allowed in TLSv1.3 regardless of optional configuration. >> >> The underlying issue we are fixing here is not MD5-specific: when multiple >> TLS versions are supported, we compute local supported algorithms for ALL >> supported TLS versions. Thus MD5 and other algorithms that are supported in >> TLSv1.2 are being used when actually TLSv1.3 ends up being the negotiated >> protocol version. > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > Further optimization: remove unnecessary updates Marked as reviewed by mullan (Reviewer). ------------- PR Review: https://git.openjdk.org/jdk/pull/24425#pullrequestreview-2773610308
