[11u] RFR: 8171279: Support X25519 and X448 in TLS

Lindenmaier, Goetz goetz.lindenmaier at sap.com
Mon Nov 30 11:30:32 UTC 2020 

> I understand, but when a patch breaks something, that patch is at fault.
> If 8171279 were a critical bug fix I might have a little more sympathy
> with your argument, but the new EC curves are a feature update.

TLS is a security feature, and thus I think the change is not only 
a nice-to-have. TLS is quite prominent currently in our customer 
messages. The FIPS feature is unsupported, and as I understand
you can and shall select FIPS certified security by other means.
So I'm not sure whether we should take this lightly.
Unfortunately, I do not know about the importance of these two
new curves.

I will roll back the change if necessary.

Best regards,
  Goetz.



> -----Original Message-----
> From: Andrew Haley <aph at redhat.com>
> Sent: Monday, November 30, 2020 11:45 AM
> To: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>; Martin Balao
> <mbalao at redhat.com>; jdk-updates-dev at openjdk.java.net
> Cc: Severin Gehwolf <sgehwolf at redhat.com>
> Subject: Re: [11u] RFR: 8171279: Support X25519 and X448 in TLS
> 
> On 11/30/20 10:06 AM, Lindenmaier, Goetz wrote:
> > I have been looking at your test, but it is not yet working
> > on my machine. It skips the test after initializing.
> >
> > Before backing out, we should consider whether
> > not having the new EC curves introduced by 8171279
> > in 11.0.10 is acceptable. This is an extension that is
> > documented as CSR and might be expected by people.
> > It is in 11.0.10-oracle, too.
> 
> I understand, but when a patch breaks something, that patch is at fault.
> If 8171279 were a critical bug fix I might have a little more sympathy
> with your argument, but the new EC curves are a feature update.
> 
> > To me, it seems more relevant than the FIPS feature broken,
> > which never has been an official feature as I understand,
> > and of which it has been communicated (inofficially) that it
> > does not work any more since 9.
> >
> > Nevertheless we should fix it if broken, maybe in 11.0.11.
> 
> Please.
> 
> There's some basic discipline here: patches shouldn't cause
> regressions. It's the responsibility of those who make changes
> to ensure this.
> 
> --
> Andrew Haley  (he/him)
> Java Platform Lead Engineer
> Red Hat UK Ltd. <https://www.redhat.com>
> https://keybase.io/andrewhaley
> EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671

More information about the jdk-updates-dev mailing list