directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <m...@stefan-seelmann.de>
Subject Re: [ApacheDS] Test failures with latest JDK
Date Wed, 24 Feb 2016 08:23:40 GMT
On 02/22/2016 10:29 AM, Kiran Ayyagari wrote:
> On Mon, Feb 22, 2016 at 2:44 PM, Stefan Seelmann <mail@stefan-seelmann.de>
> wrote:
> 
>> Hi,
>>
>> after update to latest JDK (1.8.0_74, 1.7.0_95) some tests in
>> server-integ fail. I think the cause is that since 1.8.0_71 MD5 is
>> disabled[1].
>>
>> I think we just need to change the algorithms used when generating the
>> certificates, but I don't find the place in the code where that can be
>> done. Any pointers?
>>
> the only class which we use for generating the default certificate is
> TlsKeyGenerator.java

Thanks Kiran for the pointer.

It turned out the reason is not MD5 (we use SHA1), but the key size. In
TlsKeyGenerator the KEY_SIZE is set to 512, if I icrease to 1024 the
tests pass.

Would be an easy fix, however there is a comment above KEY_SIZE:

    ... however note to pass export restrictions we must use a key
    size of* 512 or less here as the default ...
    ... This is required to classify ApacheDS in the ECCN 5D002
    category.  Please see the following page for more information:
    http://www.apache.org/dev/crypto.html ...

That page still states 512 bits, but also includes a note that the law
was changes in 2010, but it seems ASF Legal didn't update the page.

So are we still bound to the 512 bits restriction? Or can we just change
it to 1024 (or even higher)? Or should we just ask Legal?

Kind Regards,
Stefan


Mime
View raw message