[11u] RFR: 8171279: Support X25519 and X448 in TLS
Andrew Hughes
gnu.andrew at redhat.com
Thu Nov 26 17:52:19 UTC 2020
On 15:20 Tue 24 Nov , Martin Balao wrote:
> Hi Goetz,
>
> I'm not entirely sure how the FIPS support was not broken in 11u after
> 8171279. What I see previous to the backport is that the crypto provider
> for the key exchange scheme was obtained through the
> JsseJce::getKeyAgreement method [1]. This method takes into account the
> presence of a FIPS-initialized SunJSSE engine [2]. After the backport, I
> see that the implementation of any security provider could be used [3].
> This means that the FIPS promise (that is: the SunJSSE engine will
> obtain all the crypto primitives from the security provider used for its
> initialization) is broken. Let me know if I'm overlooking something.
>
> Note: Severin let me know that we are close to ramp-down (this week).
>
> Thanks,
> Martin.-
>
FWIW, rampdown for 11u is Tuesday, the 1st of December (a few days
later than 8u's on Friday)
Thanks,
--
Andrew :)
Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
More information about the jdk-updates-dev
mailing list