[Bug 2390] [IcedTea7] Make elliptic curve removal optional

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Tue Mar 1 09:01:39 UTC 2016


http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2390

Andrew Haley <aph at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aph at redhat.com

--- Comment #10 from Andrew Haley <aph at redhat.com> ---
(In reply to Tomas Gustavsson from comment #8)
> Sorry, will not re-open again.
> 
> I still withhold. With these changes Java is less usable for security
> interested industries such as Banking, government etc, which does use other
> curves.
> Saying that it's configurable when building OpenJDK doesn't help much since
> banks and others want to use RHEL with packaged Java.

There's something that hasn't been explained here.

Sessions negotiate their connections based on the list of curves that
is available.  It's vital during that negotiation that you don't
advertise curves that you can't support.  The list of curves is
statically configured in the provider.  Therefore, for negotiation to
succeed, the list of supported curves must be the minimum set that we
know we can support.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20160301/c3d0ac91/attachment.html>


More information about the distro-pkg-dev mailing list