directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: [ApacheDS] Test failures with latest JDK
Date Wed, 24 Feb 2016 09:14:47 GMT
Le 24/02/16 09:23, Stefan Seelmann a écrit :
> On 02/22/2016 10:29 AM, Kiran Ayyagari wrote:
>> On Mon, Feb 22, 2016 at 2:44 PM, Stefan Seelmann <mail@stefan-seelmann.de>
>> wrote:
>>
>>> Hi,
>>>
>>> after update to latest JDK (1.8.0_74, 1.7.0_95) some tests in
>>> server-integ fail. I think the cause is that since 1.8.0_71 MD5 is
>>> disabled[1].
>>>
>>> I think we just need to change the algorithms used when generating the
>>> certificates, but I don't find the place in the code where that can be
>>> done. Any pointers?
>>>
>> the only class which we use for generating the default certificate is
>> TlsKeyGenerator.java
> Thanks Kiran for the pointer.
>
> It turned out the reason is not MD5 (we use SHA1), but the key size. In
> TlsKeyGenerator the KEY_SIZE is set to 512, if I icrease to 1024 the
> tests pass.
>
> Would be an easy fix, however there is a comment above KEY_SIZE:
>
>     ... however note to pass export restrictions we must use a key
>     size of* 512 or less here as the default ...
>     ... This is required to classify ApacheDS in the ECCN 5D002
>     category.  Please see the following page for more information:
>     http://www.apache.org/dev/crypto.html ...
>
> That page still states 512 bits, but also includes a note that the law
> was changes in 2010, but it seems ASF Legal didn't update the page.
>
> So are we still bound to the 512 bits restriction? Or can we just change
> it to 1024 (or even higher)? Or should we just ask Legal?

I'll check the page. I remember having had to deal with the ECCN
declaration for Directory 10 years ago (sort of), and it was a kind of a
pain, but a necessary one.


I'll keep you posted.

Mime
View raw message