[11u] RFR: 8223482: Unsupported ciphersuites may be offered by a TLS client
Martin Balao
mbalao at redhat.com
Thu Jul 18 19:38:46 UTC 2019
Hi,
I'd like to request a review for the jdk11u backport of 8223482 [1]:
http://cr.openjdk.java.net/~mbalao/webrevs/8223482/8223482.jdk11u.webrev.00/
There are 2 changes compared to the JDK version [2]:
* SSLCipher.java
* "Cipher.getInstance" replaced with "JsseJce.getCipher" in
SSLCipher::isTransformationAvailable
* JDK-11 has SunJSSE experimental FIPS support (which was removed in
JDK), so we are able to check if the transformation is supported by
SunJSSE's crypto provider. We don't need to check if it's supported by
any provider because SunJSSE's crypto provider is the one that will be
used for the TLS connection.
* TestTLS12.java (FipsModeTLS12.java in JDK):
* The change in TestTLS12::initialize does not apply to JDK-11
* In JDK-11, we don't remove security providers because we are able
to set the one that has to be used in SunJSSE (due to SunJSSE
experimental FIPS support).
Testing:
* No regressions found in:
* jdk/sun/security/pkcs11
* jdk/javax/net/ssl
* jdk/com/sun/crypto/provider/TLS
* TestTLS12 updated to cover this patch
Thanks,
Martin.-
--
[1] - https://bugs.openjdk.java.net/browse/JDK-8223482
[2] - http://hg.openjdk.java.net/jdk/jdk/rev/d0f73fccf5f3
More information about the jdk-updates-dev
mailing list