-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
minimal
-
System or security property
-
JDK
Summary
Add the RC2 and ARCFOUR (RC4) algorithms to "jdk.security.legacyAlgorithms" security property in the java.security property file. keytool will emit warnings when one of these weak algorithms is used.
Problem
RC2 and ARCFOUR are weak algorithms. keytool does not emit warnings when an RC2 or ARCFOUR algorithm is used for its commands associated with secret key entries in the keystore.
Solution
Update "jdk.security.legacyAlgorithms" security property to include RC2 and ARCFOUR. This enables keytool to generate warnings when it uses a weak RC2 or ARCFOUR secret key based algorithm.
Specification
Make the following changes to java.security property file:
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -654,7 +654,7 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
jdk.security.legacyAlgorithms=SHA1, \
RSA keySize < 2048, DSA keySize < 2048, \
- DES, DESede, MD5
+ DES, DESede, MD5, RC2, ARCFOUR
#
# Algorithm restrictions for signed JAR files- csr of
-
JDK-8286090 Add RC2/RC4 to jdk.security.legacyAlgorithms
-
- Resolved
-