-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Steffen,
On 7/18/16 11:14 AM, Steffen Heil (Mailinglisten) wrote: > Hi > > >>> I am not sure that this related, be we were having issues >>> after updating from 1.8.0_31 to 1.8.0_72 with certificates >>> signed by root-cas that have a md5 signature. While the CA >>> signature in the CA certificate does not provide any security, >>> a bug in the jre rejected the certificate even though the >>> certificate itself was signed with sha1. Maybe this is >>> related. >> >> Do you mean rejecting SHA-1 signatures instead of SHA-256? MD5 >> hasn't been used for certificate signatures for quite a few >> years. > > No, I mean MD5. A customer of ours had a CA that was created using > MD5 in the Root Certificate in 2004. (Customers setup, not ours.) > > But the server certificate was correctly signed using SHA1. Still > java rejected the certificate, because of the weak (but irrelevant) > signature of the CA certificate. Wow, I guess Java finally got around to enforcing that obvious security control. :) - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXjQeYAAoJEBzwKT+lPKRYtUoQAIASWRrqyI2/Q31mDRGOMQny kpzBISFpDb65Scsq2Q//AwGoEj8SwTTZe3SVkR1GQEy3F/an3BZkjo7ZTyQJhXLi TBfzSgIrYd7FzyO99Tu+B056ejYoViTQ9QJqZXCTXDyuJB5xfOaXhMiOZHXFWfGW wEZEMqY3OcI2OPedoKvCKI8v5B+FyU2Azz4x502Wx5OX84NtNX4L5CkGYZy1tooq DVxlElt+j6KMKDwkVOOK8uCPpwKClR/E38JXWGNTc8n/WGxjfRkdHuZfQOFYie6M LC42PI4IW6l3DWin0g4RSkD3DdZxFMP6/kC0zphutgCAGY97Hu1yNF7GlbbUrw90 JTIt6MU5Dusbgjh1vQkUtXf/j6YVsTcFQWe7OtVAkR1Qp9iDsy2D5aPdhsPysqC2 PhfKSVt+yGEx0zp7m+Sx0GtVkQyVVFrnszjuPWrkMDQ33BseexSCBu9AWm5YzjUs PiW02b8Dh67GSB41ipL/Ll7fyEp/DdM8UaMUrO/j0UrI3EvGwsXU6UjsCkVga2zk B4vsMDR7nO00o2VJWG+hCC3GXLFyjsW93/CrOcuVDLh0XAOf2uYh3LSkYMMHQl+4 OLNOztg5m7Q2bVY81SMgN+bhfOs6b6ZUT2GY5Fu/7SOAbuJEekL9o4Yhu9QOW3Vd Tul1LkK7z0YUllXnkcP7 =UKzK -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org