On Thu, 3 Apr 2025 19:05:59 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
> MD5 algorithm is prohibited by TLSv1.3 RFC to be used in certificates: > > > Any endpoint receiving any certificate which it would need to > validate using any signature algorithm using an MD5 hash MUST abort > the handshake with a "bad_certificate" alert. > > > > The bug manifests itself when older versions of protocol are supported > besides TLSv1.3, such as TLSv1.2. When multiple protocol versions are > supported, both client and server calculate their respective SSLSessions's > "localSupportedSignAlgs" based on supported signature algorithms for all > active protocols and don't update it when negotiated protocol is established. > Then "localSupportedSignAlgs" list is used to validate certificate's > algorithm. > > While we disable "MD5withRSA" in java.security config, MD5 algorithm should > not be allowed in TLSv1.3 regardless of optional configuration. > > The underlying issue we are fixing here is not MD5-specific: when multiple > TLS versions are supported, we compute local supported algorithms for ALL > supported TLS versions. Thus MD5 and other algorithms that are supported in > TLSv1.2 are being used when actually TLSv1.3 ends up being the negotiated > protocol version. This pull request has now been integrated. Changeset: abb23828 Author: Artur Barashev <abaras...@openjdk.org> Committer: Sean Mullan <mul...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/abb23828f9dc5f4cdb75d5b924dd6f45925102cd Stats: 482 lines in 16 files changed: 299 ins; 130 del; 53 mod 8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled Reviewed-by: mullan ------------- PR: https://git.openjdk.org/jdk/pull/24425
