JDK-8172404 : Tools should warn if weak algorithms are used before restricting them
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7,8,11,15
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2017-01-09
  • Updated: 2023-12-04
  • Resolved: 2020-04-17
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 15 JDK 7 JDK 8 Other
11.0.9-oracleFixed 13.0.9Fixed 15 b20Fixed 7u281Fixed 8u271Fixed openjdk8u292Fixed
Related Reports
CSR :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8244286 :  
Description
It would be useful to also start warning users that SHA-1 and 1024-bit RSA/DSA certificates are a security risk *before* we actually start disabling them.

We add a new jdk.security.legacyAlgorithms security property to the java.security property file. keytool and jarsigner tools will be enhanced to enforce the new property and to print out informational warnings when the legacy algorithms are used. This enables users to plan transitioning away from them. This would also allow a user to edit these properties independently so that you could still get warnings from tools even if the runtime allowed the algorithm.

Comments
Fix request (13u) To fix depends on JDK-8233228 so the JDK-8233228 needs to be backported to jdk13u first. See discussion for JDK-8233228 https://github.com/openjdk/jdk13u-dev/pull/32
26-11-2020

Fix request (11u) -- will label after testing completed. I would like to downport this for parity with 11.0.9-oracle. Does not apply clean: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-June/003238.html The CSR mentions 11. So I added it as CSR to the backport issue. Is that ok?
05-06-2020

URL: https://hg.openjdk.java.net/jdk/jdk/rev/6611a79f2ddf User: weijun Date: 2020-04-17 12:12:08 +0000
17-04-2020