Loading...

XML

Word

Printable

Type: Enhancement
Resolution: Duplicate
Priority: P3
Fix Version/s: None
Affects Version/s: None
Component/s: security-libs
Labels:
- release-note=yes

Subcomponent:
javax.net.ssl
Understanding:
Cause Known

The current key manager is SunX509, which is configured in the java.security. The SunX509 algorithm does not check of the local certificate, and there are known problems if there are multiple certificates in the local key store (see ~~JDK-8199440~~). The PKIX algorithm should be preferred now so that the default key manager could be more robust.

java.security:
- ssl.KeyManagerFactory.algorithm=SunX509
+ ssl.KeyManagerFactory.algorithm=PKIX

blocks

JDK-8136720 The PKIX KeyManagerFactory algorithm is underspecified

Open

csr for

JDK-8355219 Change the default key manager to PKIX

Closed

duplicates

JDK-8359956 Support algorithm constraints and certificate checks in SunX509 key manager

Resolved

relates to

JDK-8199440 JDK selects wrong certificate during two-way SSL handshake

Closed

JDK-8353113 Peer supported certificate signature algorithms are not being checked with default SunX509 key manager

Closed

JDK-8170706 Support algorithm constraints in SunX509 key manager

Closed

JDK-8322767 TLS full handshake is slow with PKCS12KeyStore and X509KeyManagerImpl

Open

links to

Review(master) openjdk/jdk/24756

(2 relates to, 1 links to)

Update "Security Developer's Guide" documentation.

Closed

Raymond Gallardo

Assignee:: Artur Barashev
Reporter:: Xuelei Fan
Votes:: 0 Vote for this issue
Watchers:: 6 Start watching this issue

Created:: 2021-08-23 21:40
Updated:: 2025-06-20 06:42
Resolved:: 2025-06-20 06:42

Details

Description

Attachments

Issue Links

Sub-Tasks

Activity

People

Dates