Bug 1222718

Summary: security:tls/crypto-policies: Bug
Product: [openSUSE] openSUSE.org Reporter: Dirk Stoecker <opensuse>
Component: 3rd party softwareAssignee: Pedro Monreal Gonzalez <pmonrealgonzalez>
Status: NEW --- QA Contact: E-mail List <screening-team-bugs>
Severity: Normal    
Priority: P5 - None CC: otto.hollmann
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dirk Stoecker 2024-04-12 09:25:34 UTC 
The file /etc/crypto-policies/back-ends/java.config contains plain SHA1 in the line jdk.certpath.disabledAlgorithms. While that's in principle a good idea in this special case it's bad.

The Java settings still allow SHA1 for older CA certs (like Webbrowsers do) when it is used for the self-signing of CAs. Please adapt the line, as there are still many servers out there which use CAs which are created with SHA1 signatures. That's no security issues, as this self-signed part of the signature of an CA anyway has no real importance.

In /usr/lib64/jvm/java-21-openjdk-21/conf/security/java.security it is:

MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, SHA1 usage SignedJAR & denyAfter 2019-01-01

That's a much better setting than what's currently used in crypto-policies package.

That would be important, as the crpyto-policies overrides the java setting by default.