temurin-build icon indicating copy to clipboard operation
temurin-build copied to clipboard

Published 20 hours ago verified publisher icon adoptium

default java.security properties files contains unrecognized "include" directives for disabledNamedCurves

Open mikecirioli opened this issue 3 years ago • 0 comments

The default ${JAVA_HOME}/conf/security/java.security file uses an includes directive to add a list of disabledNamedCurves to a few other properties. This appears to be supported by the Oracle JDK, but not by Adoptium:

2022-01-19 14:49:18.042+0000 [id=53]    INFO    o.b.jsse.provider.PropertyUtils#getStringSecurityProperty: Found string security property [jdk.tls.disabledAlgorithms]: SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
2022-01-19 14:49:18.044+0000 [id=53]    WARNING o.b.j.p.DisabledAlgorithmConstraints#create: Ignoring unsupported entry in 'jdk.tls.disabledAlgorithms': include jdk.disabled.namedCurves
2022-01-19 14:49:18.045+0000 [id=53]    INFO    o.b.jsse.provider.PropertyUtils#getStringSecurityProperty: Found string security property [jdk.certpath.disabledAlgorithms]: MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, include jdk.disabled.namedCurves
2022-01-19 14:49:18.045+0000 [id=53]    WARNING o.b.j.p.DisabledAlgorithmConstraints#create: Ignoring unsupported entry in 'jdk.certpath.disabledAlgorithms': SHA1 jdkCA & usage TLSServer
2022-01-19 14:49:18.045+0000 [id=53]    WARNING o.b.j.p.DisabledAlgorithmConstraints#create: Ignoring unsupported entry in 'jdk.certpath.disabledAlgorithms': include jdk.disabled.namedCurves

From the in-line documentation found in ${JAVA_HOME}/conf/security/java.security :

#   IncludeProperty:
#       include <security property>
#
 <snip>
# The "IncludeProperty" allows a implementation-defined security property that
# can be included in the disabledAlgorithms properties.  These properties are
# to help manage common actions easier across multiple disabledAlgorithm
# properties.
# There is one defined security property:  jdk.disabled.NamedCurves
# See the property for more specific details.

#
# This property contains a list of disabled EC Named Curves that can be included
# in the jdk.[tls|certpath|jar].disabledAlgorithms properties.  To include this
# list in any of the disabledAlgorithms properties, add the property name as
# an entry.
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
    secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
    secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
    sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
    sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
    sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
    X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
    X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
    X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \
    brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

The actual usage found in ${JAVA_HOME}/conf/security/java.security :

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
    include jdk.disabled.namedCurves

mikecirioli avatar Jan 20 '22 13:01 mikecirioli