[11u] RFR(M): 8234728: Some security tests should support TLSv1.3

Langer, Christoph christoph.langer at sap.com
Mon Apr 6 05:54:19 UTC 2020 

Hi Goetz,

thanks for doing this backport. I had a look now.

I think it is ok, to just keep the old list of ciphersuites in test/jdk/javax/net/ssl/sanity/ciphersuites/CipherSuitesInOrder.java, instead of making the old list fit into the commented format of the list that comes with the patch.

For test/jdk/sun/security/util/HostnameMatcher/NullHostnameCheck.java I have a question: Why don't you take the hunk to use the passed protocol for clientCtx (https://hg.openjdk.java.net/jdk/jdk/rev/d6a38e8f7389#l6.35) ? I think it would fit.

In test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java, I would not uncomment the lines of TLS_CHACHA20_POLY1305_SHA256 and TLS_CHACHA20_POLY1305_SHA256 but rather drop them completely. These suites don't exist in 11 and for CipherSuitesInOrder.java we also don't keep them commented.

Best regards
Christoph


> -----Original Message-----
> From: jdk-updates-dev <jdk-updates-dev-bounces at openjdk.java.net> On
> Behalf Of Lindenmaier, Goetz
> Sent: Freitag, 3. April 2020 13:26
> To: jdk-updates-dev at openjdk.java.net
> Subject: [CAUTION] [11u] RFR(M): 8234728: Some security tests should
> support TLSv1.3
> 
> Hi,
> 
> I would like to downport this for parity with 11.0.8-oracle.
> 
> http://cr.openjdk.java.net/~goetz/wr20/8234728-security_tests-
> jdk11/webrev/
> 
> Although this change claims it is a test fix, it touches
> java.base. It fixes some type-os there.
> Some of the comments fixed are not in CipherSuite.java in
> 11u, so the patch did not apply. I had to skip these.
> 
> Also, the change did not cleanly apply to the the test
> NullHostnameCheck.java
> because "8228967: Trust/Key store and SSL context utilities for tests" is not
> in 11. I adapted it.  The TLS level is now passed to the test.
> 
> The change makes TLSCipherSuitesOrder.java fail.
> First, it looks for a Cipher Suite not in 11. I removed this.
> Second, it depends on a change by "8171279: Support X25519 and
> X448 in TLS". This is a big change and only a single function
> call is needed. I added only the required changes of 8171279 to
> TLSSocketTemplate.java in this change.
> 
> I also changed CipherSuitesInOrder.java so that it passes.
> I kept the old list of supportedCipherSuites, and
> added TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384.
> 
> Please review.
> 
> Original change:
> https://bugs.openjdk.java.net/browse/JDK-8234728
> https://hg.openjdk.java.net/jdk/jdk14/rev/fa82151f29c4

More information about the jdk-updates-dev mailing list