[11u] RFR: 8171279: Support X25519 and X448 in TLS

Martin Balao mbalao at redhat.com
Tue Dec 1 03:37:04 UTC 2020 

Quick update:

I'm not done yet but here you have a preview of my changes:
http://people.redhat.com/mbalaoal/openjdk/workspace/sunjsse_experimental_fips_support_and_dh_jdk11u/test_experimental_fips_with_dh.jdk11u.v1.patch

That fix looks enough for the reproducer to pass, but I still need to
track a few things to make sure only SunJSSE's FIPS provider (if one) is
used. When done, I'll create a new bug and send a Webrev for review. If
we can't meet the ramp-down deadline, I'll request a critical fix for
maintainers to decide.

Thanks,
Martin.-


On 11/30/20 11:43 AM, Martin Balao wrote:
> Hi Goetz,
> 
> Thanks for having a look at this.
> 
> On 11/30/20 7:06 AM, Lindenmaier, Goetz wrote:
>>
>> I have been looking at your test, but it is not yet working
>> on my machine. It skips the test after initializing.
>>
> 
> Yes, NSS tests require some help from the environment so they might be
> skipped. A Linux-based environment with the NSS library located in the
> (major distros) standard path should make it. Let me know if I can help
> with that.
> 
>> Before backing out, we should consider whether 
>> not having the new EC curves introduced by 8171279
>> in 11.0.10 is acceptable. This is an extension that is
>> documented as CSR and might be expected by people.
>> It is in 11.0.10-oracle, too.
>>
> 
> I should be able to come up with a fix later today. The fix looks
> straight forward -it's essentially replacing KeyAgreement::getInstance
> calls with the previous calls-, but I want to make sure that everything
> else is fine.
> 
>> To me, it seems more relevant than the FIPS feature broken, 
>> which never has been an official feature as I understand,
>> and of which it has been communicated (inofficially) that it 
>> does not work any more since 9.
> 
> FIPS support in SunJSSE works up to 13, and our users rely on that. The
> comment about stopping to work in 9 is wrong -I'll try to have it fixed,
> as it has caused enough confusion-. There is a public API to initialize
> FIPS in SunJSSE, which is through the java.security configuration file
> (when you pass an argument to the SunJSSE security provider line).
> 
> Thanks,
> Martin.-
>

More information about the jdk-updates-dev mailing list