On Wed, 16 Apr 2025 14:57:20 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> MD5 algorithm is prohibited by TLSv1.3 RFC to be used in certificates: >> >> >> Any endpoint receiving any certificate which it would need to >> validate using any signature algorithm using an MD5 hash MUST abort >> the handshake with a "bad_certificate" alert. >> >> >> >> The bug manifests itself when older versions of protocol are supported >> besides TLSv1.3, such as TLSv1.2. When multiple protocol versions are >> supported, both client and server calculate their respective SSLSessions's >> "localSupportedSignAlgs" based on supported signature algorithms for all >> active protocols and don't update it when negotiated protocol is >> established. Then "localSupportedSignAlgs" list is used to validate >> certificate's algorithm. >> >> While we disable "MD5withRSA" in java.security config, MD5 algorithm should >> not be allowed in TLSv1.3 regardless of optional configuration. >> >> The underlying issue we are fixing here is not MD5-specific: when multiple >> TLS versions are supported, we compute local supported algorithms for ALL >> supported TLS versions. Thus MD5 and other algorithms that are supported in >> TLSv1.2 are being used when actually TLSv1.3 ends up being the negotiated >> protocol version. > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > Further optimization: remove unnecessary updates test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java line 1: > 1: /* Import of `java.security.cert.Certificate` on line 54 is unnecessary. Yea I know it's not in your code. test/jdk/sun/security/ssl/SignatureScheme/MD5NotAllowedInTLS13CertificateSignature.java line 131: > 129: > 130: // create a key store > 131: KeyStore ks = KeyStore.getInstance("JKS"); I wonder if PKCS12 would be a better choice in the long run. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24425#discussion_r2047831632 PR Review Comment: https://git.openjdk.org/jdk/pull/24425#discussion_r2047829144