directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <m...@stefan-seelmann.de>
Subject Re: [ApacheDS] Test failures with latest JDK
Date Sun, 19 Jun 2016 19:44:08 GMT
On 02/24/2016 10:14 AM, Emmanuel Lécharny wrote:
> Le 24/02/16 09:23, Stefan Seelmann a écrit :
>> On 02/22/2016 10:29 AM, Kiran Ayyagari wrote:
>>> On Mon, Feb 22, 2016 at 2:44 PM, Stefan Seelmann <mail@stefan-seelmann.de>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> after update to latest JDK (1.8.0_74, 1.7.0_95) some tests in
>>>> server-integ fail. I think the cause is that since 1.8.0_71 MD5 is
>>>> disabled[1].
>>>>
>>>> I think we just need to change the algorithms used when generating the
>>>> certificates, but I don't find the place in the code where that can be
>>>> done. Any pointers?
>>>>
>>> the only class which we use for generating the default certificate is
>>> TlsKeyGenerator.java
>> Thanks Kiran for the pointer.
>>
>> It turned out the reason is not MD5 (we use SHA1), but the key size. In
>> TlsKeyGenerator the KEY_SIZE is set to 512, if I icrease to 1024 the
>> tests pass.
>>
>> Would be an easy fix, however there is a comment above KEY_SIZE:
>>
>>     ... however note to pass export restrictions we must use a key
>>     size of* 512 or less here as the default ...
>>     ... This is required to classify ApacheDS in the ECCN 5D002
>>     category.  Please see the following page for more information:
>>     http://www.apache.org/dev/crypto.html ...
>>
>> That page still states 512 bits, but also includes a note that the law
>> was changes in 2010, but it seems ASF Legal didn't update the page.
>>
>> So are we still bound to the 512 bits restriction? Or can we just change
>> it to 1024 (or even higher)? Or should we just ask Legal?
> 
> I'll check the page. I remember having had to deal with the ECCN
> declaration for Directory 10 years ago (sort of), and it was a kind of a
> pain, but a necessary one.

As I understand the page the 512 bits restriction it still true.

What I now did is to use 1024 bit *only* for tests in FrameworkRunner
class [1]. The key generated as server startup  still has 512 bit.

Kind Regards,
Stefan

[1] http://svn.apache.org/viewvc?rev=1749199&view=rev


Mime
View raw message