Re: RFR: 8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled [v11]

Wed, 16 Apr 2025 15:06:19 -0700 

On Wed, 16 Apr 2025 14:57:20 GMT, Artur Barashev <abaras...@openjdk.org> wrote:

>> MD5 algorithm is prohibited by TLSv1.3 RFC to be used in certificates:
>> 
>> 
>> Any endpoint receiving any certificate which it would need to
>> validate using any signature algorithm using an MD5 hash MUST abort
>> the handshake with a "bad_certificate" alert.
>> 
>> 
>> 
>> The bug manifests itself when older versions of protocol are supported 
>> besides TLSv1.3, such as TLSv1.2. When multiple protocol versions are 
>> supported, both client and server calculate their respective SSLSessions's 
>> "localSupportedSignAlgs" based on supported signature algorithms for all 
>> active protocols and don't update it when negotiated protocol is 
>> established. Then "localSupportedSignAlgs" list is used to validate 
>> certificate's algorithm.
>> 
>> While we disable "MD5withRSA" in java.security config, MD5 algorithm should 
>> not be allowed in TLSv1.3 regardless of optional configuration.
>> 
>> The underlying issue we are fixing here is not MD5-specific: when multiple 
>> TLS versions are supported, we compute local supported algorithms for ALL 
>> supported TLS versions. Thus MD5 and other algorithms that are supported in 
>> TLSv1.2 are being used when actually TLSv1.3 ends up being the negotiated 
>> protocol version.
>
> Artur Barashev has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Further optimization: remove unnecessary updates

test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java line 1:

> 1: /*

Import of `java.security.cert.Certificate` on line 54 is unnecessary. Yea I 
know it's not in your code.

test/jdk/sun/security/ssl/SignatureScheme/MD5NotAllowedInTLS13CertificateSignature.java
 line 131:

> 129: 
> 130:         // create a key store
> 131:         KeyStore ks = KeyStore.getInstance("JKS");

I wonder if PKCS12 would be a better choice in the long run.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24425#discussion_r2047831632
PR Review Comment: https://git.openjdk.org/jdk/pull/24425#discussion_r2047829144

Reply via email to