it's Oracle update day

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

it's Oracle update day

Ian Young-3
The latest Java updates from Oracle (10.0.1, 8u171, 7u181, 6u191) make a couple of cryptographic changes. I don't _think_ they are particularly relevant for us, but here they are:

* To improve the strength of SSL/TLS connections, 3DES cipher suites have been disabled in SSL/TLS connections in the JDK via the jdk.tls.disabledAlgorithms Security Property.

* The secure validation mode of the XML Signature implementation has been enhanced to restrict EC keys less than 224 bits by default. The secure validation mode is enabled either by setting the property org.jcp.xml.dsig.secureValidation to true with the javax.xml.crypto.XMLCryptoContext.setProperty() method, or by running the code with a SecurityManager.

Note that although there's a 10.0.1, there is no update to Java 9 as it is now regarded as obsolete.

    -- Ian





--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: it's Oracle update day

Cantor, Scott E.
> * The secure validation mode of the XML Signature implementation has been
> enhanced to restrict EC keys less than 224 bits by default. The secure
> validation mode is enabled either by setting the property
> org.jcp.xml.dsig.secureValidation to true with the
> javax.xml.crypto.XMLCryptoContext.setProperty() method, or by running
> the code with a SecurityManager.

We don't rely on their signature code anywhere.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]