-
Sub-task
-
Resolution: Delivered
-
P4
-
22
Two new system properties, `jdk.tls.server.maxInboundCertificateChainLength` and `jdk.tls.client.maxInboundCertificateChainLength`, have been added to set the maximum allowed length of the certificate chain accepted from the client or server during TLS/DTLS handshaking.
A service can function as both a TLS/DTLS server and client. When the service acts as a server, it enforces a maximum certificate chain length accepted from clients. When the service acts as a client, it enforces a maximum certificate chain length accepted from servers.
These properties, if set, override the existing `jdk.tls.maxCertificateChainLength` system property. The properties work together as follows:
If the `jdk.tls.server.maxInboundCertificateChainLength` system property is set and its value is greater than or equal to 0, this value will be used to enforce the maximum length of a client certificate chain accepted by a server. Otherwise, if the `jdk.tls.maxCertificateChainLength` system property is set and its value is greater than or equal to 0, this value will be used to enforce it. If neither property is set, a default value of 8 will be used for enforcement.
If the `jdk.tls.client.maxInboundCertificateChainLength` system property is set and its value is greater than or equal to 0, this value will be used to enforce the maximum length of a server certificate chain accepted by a client. Otherwise, if the `jdk.tls.maxCertificateChainLength` system property is set and its value is greater than or equal to 0, this value will be used to enforce it. If neither property is set, a default value of 10 will be used for enforcement.
In this release, the default maximum chain length accepted from clients has been changed from 10 to 8 for client certificate chains.
A service can function as both a TLS/DTLS server and client. When the service acts as a server, it enforces a maximum certificate chain length accepted from clients. When the service acts as a client, it enforces a maximum certificate chain length accepted from servers.
These properties, if set, override the existing `jdk.tls.maxCertificateChainLength` system property. The properties work together as follows:
If the `jdk.tls.server.maxInboundCertificateChainLength` system property is set and its value is greater than or equal to 0, this value will be used to enforce the maximum length of a client certificate chain accepted by a server. Otherwise, if the `jdk.tls.maxCertificateChainLength` system property is set and its value is greater than or equal to 0, this value will be used to enforce it. If neither property is set, a default value of 8 will be used for enforcement.
If the `jdk.tls.client.maxInboundCertificateChainLength` system property is set and its value is greater than or equal to 0, this value will be used to enforce the maximum length of a server certificate chain accepted by a client. Otherwise, if the `jdk.tls.maxCertificateChainLength` system property is set and its value is greater than or equal to 0, this value will be used to enforce it. If neither property is set, a default value of 10 will be used for enforcement.
In this release, the default maximum chain length accepted from clients has been changed from 10 to 8 for client certificate chains.