On Wed, 1 Nov 2023 13:58:01 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> I don't see a behavior change that conflicts with the CSR. I think it is a >> wording issue, let me suggest some improvements in another comment. There is >> no longer a default value for `jdk.tls.maxCertificateChainLength`. Where is >> it set to 8 in the code? > > When no system property is set, previously max inbound length is 10, now it's > 8. I think the wording of the comment is somewhat confusing because it is trying to explain the behavior of both properties together and the words "either" and "neither" may be hard to parse. I recommend separate comment blocks for each property. Here is a suggestion for the server side setting: /* * maxInboundClientCertChainLen is the maximum length of a client certificate * chain accepted by a server. It is determined as follows: * - If the jdk.tls.server.maxInboundCertificateChainLength system property * is set and its value >= 0, it uses that value. * - Otherwise, if the jdk.tls.maxCertificateChainLength system property is * set and its value >= 0, it uses that value. * - Otherwise it is set to a default value of 8. */ The client side setting would be similar. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/15163#discussion_r1378856511
