On Wed, 16 Apr 2025 14:57:20 GMT, Artur Barashev <abaras...@openjdk.org> wrote:

>> MD5 algorithm is prohibited by TLSv1.3 RFC to be used in certificates:
>> 
>> 
>> Any endpoint receiving any certificate which it would need to
>> validate using any signature algorithm using an MD5 hash MUST abort
>> the handshake with a "bad_certificate" alert.
>> 
>> 
>> 
>> The bug manifests itself when older versions of protocol are supported 
>> besides TLSv1.3, such as TLSv1.2. When multiple protocol versions are 
>> supported, both client and server calculate their respective SSLSessions's 
>> "localSupportedSignAlgs" based on supported signature algorithms for all 
>> active protocols and don't update it when negotiated protocol is 
>> established. Then "localSupportedSignAlgs" list is used to validate 
>> certificate's algorithm.
>> 
>> While we disable "MD5withRSA" in java.security config, MD5 algorithm should 
>> not be allowed in TLSv1.3 regardless of optional configuration.
>> 
>> The underlying issue we are fixing here is not MD5-specific: when multiple 
>> TLS versions are supported, we compute local supported algorithms for ALL 
>> supported TLS versions. Thus MD5 and other algorithms that are supported in 
>> TLSv1.2 are being used when actually TLSv1.3 ends up being the negotiated 
>> protocol version.
>
> Artur Barashev has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Further optimization: remove unnecessary updates

Marked as reviewed by mullan (Reviewer).

-------------

PR Review: https://git.openjdk.org/jdk/pull/24425#pullrequestreview-2773610308

Reply via email to