Forum Stats

  • 3,826,609 Users
  • 2,260,677 Discussions
  • 7,897,029 Comments

Discussions

Can you disable SHA1 with jdk.certpath.disabledAlgorithms?

1805461
1805461 Member Posts: 2

If I add "SHA256" to jdk.certpath.disabledAlgorithms in java.security, I can no longer create SSL connections to a server with a certificate with a signature algorithm of "SHA256withRSA".


However, if I add "SHA1" to  jdk.certpath.disabledAlgorithms, I can still create SSL connections to a server with a certificate with a signature algorithm of "SHA1withRSA".

I have also tried adding "SHA-1" and "SHA1withRSA", with no luck.


Does anyone know why SHA256 can be disabled in this way, but not SHA1?

This is not just idle curiosity - I am trying to understand what other things might bear on disabling cert algorithms.

(This is jre1.8.0_66.)


Thanks in advance.

Kevin

Answers

  • 1805461
    1805461 Member Posts: 2
    edited Jul 8, 2016 10:09AM

    If the trust store has a copy of the server cert, the cert is trusted, and the disabled algorithms ARE NOT checked, and so the cert is not rejected with "Algorithm constraints check failed".

    If the trust store has the root CA cert, the cert is trusted, and the disabled algorithms ARE checked. and so the cert is rejected with "Algorithm constraints check failed".

    This is what I think. Am I correct?

This discussion has been closed.