Hi Ben,
Thanks for your suggestion. It might be something to consider later if
we find that it is causing many issues. However, in general we want the
restrictions to be enforced consistently across all certificates used in
a certificate chain.
That said, you could apply these stronger restrictions to TLS server
certificates by implementing a CertPathChecker that enforces the
4096-bit rule, and adding that to the PKIXParameters of a
CertPathChecker. With JSSE this can be done via
javax.net.ssl.CertPathTrustManagerParameters.
--Sean
On 11/21/25 2:34 AM, Benjamin Marwell wrote:
Dear security-dev list members!
Recently I was thinking I could raise the RSA restrictions to >= 4096,
i.e. setting something like this:
jdk.tls.disabledAlgorithms=..., RSA keySize < 4096
However, while all TLS server certificates do have RSA 4096 (or EC)
nowadays, root certificates are another game.
They often still use RSA 2048, and this is perfectly fine, according to
most comments by security researchers I have seen.
So, applying this setting will lead to most server connections being
rejected.
Now, I wonder if we could have two settings.
We already have `jdk.security.caDistrustPolicies`.
Maybe we could have `jdk.tls.disabledCaAlgorights` which defaults to
`jdk.tls.disabledAlgorithms` if not specified.
Or maybe something along those lines.
This way, we could enforce RSA4096 server connections via TLS,
but still allow those certs to be signed with a root CA that still uses
RSA2048.
I know, this is of limited use in most environments, but I still wanted
to introduce you to this idea.
Please let me know if this is a sensible request.
Thanks!
- Ben
