[11u] RFR 8257545: SunJSSE FIPS regression in key exchange after JDK-8171279 11u backport
Lindenmaier, Goetz
goetz.lindenmaier at sap.com
Wed Dec 2 14:59:49 UTC 2020
Hi Martin,
The change passed our nightly testing.
It looks good to me, but I can not comment on the
very internals of it.
Thanks again for fixing this!
Best regards,
Goetz
> -----Original Message-----
> From: Martin Balao <mbalao at redhat.com>
> Sent: Tuesday, December 1, 2020 11:07 PM
> To: jdk-updates-dev at openjdk.java.net; Lindenmaier, Goetz
> <goetz.lindenmaier at sap.com>
> Cc: Andrew Haley <aph at redhat.com>; Severin Gehwolf
> <sgehwolf at redhat.com>
> Subject: [11u] RFR 8257545: SunJSSE FIPS regression in key exchange after
> JDK-8171279 11u backport
>
> Hi,
>
> As discussed in [1], this is a fix for the JDK-8257545 regression
> affecting 11u [2].
>
> I'd like to have a review of Webrev.00:
>
> *
> http://cr.openjdk.java.net/~mbalao/webrevs/8257545/8257545.webrev.00/
>
> The fix is about picking the crypto provider used to initialized SunJSSE
> (if any) while performing the key exchange phase of the TLS handshake.
>
> Please note that SunPKCS11 does not register AlgorithmParameters for the
> DiffieHellman algorithm. Other crypto providers may do that as well. So
> it's not always possible to identify a Named Group based on the
> parameter values. Even though I see no downside of making SunPKCS11
> register AlgorithmParameters for DiffieHellman with the DHParameters
> class, I prefer to stay on a more conservative side at this time and
> also cover non-SunPKCS11 cases. As a result, we skip the Named Group
> identification in NamedGroup.java if ng.functions.getParameters returned
> value is null. Note: this is what 11.0.9 and previous releases are
> doing, as checked debugging old releases. This is unlikely to affect JDK
> releases after 13u because AlgorithmParameters may be obtained from any
> crypto provider, and not only the one used to initialize SunJSSE (if one).
>
> I'm currently running regression testing. Let you know if I find
> something wrong.
>
> Thanks,
> Martin.-
>
> --
> [1] -
> http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-
> November/004164.html
> [2] - https://bugs.openjdk.java.net/browse/JDK-8257545
More information about the jdk-updates-dev
mailing list