[11u] RFR: 8171279: Support X25519 and X448 in TLS

[Martin Balao]

Hi Goetz,

Thanks for having a look at this.

On 11/30/20 7:06 AM, Lindenmaier, Goetz wrote:
> 
> I have been looking at your test, but it is not yet working
> on my machine. It skips the test after initializing.
>

Yes, NSS tests require some help from the environment so they might be
skipped. A Linux-based environment with the NSS library located in the
(major distros) standard path should make it. Let me know if I can help
with that.

> Before backing out, we should consider whether 
> not having the new EC curves introduced by 8171279
> in 11.0.10 is acceptable. This is an extension that is
> documented as CSR and might be expected by people.
> It is in 11.0.10-oracle, too.
>

I should be able to come up with a fix later today. The fix looks
straight forward -it's essentially replacing KeyAgreement::getInstance
calls with the previous calls-, but I want to make sure that everything
else is fine.

> To me, it seems more relevant than the FIPS feature broken, 
> which never has been an official feature as I understand,
> and of which it has been communicated (inofficially) that it 
> does not work any more since 9.

FIPS support in SunJSSE works up to 13, and our users rely on that. The
comment about stopping to work in 9 is wrong -I'll try to have it fixed,
as it has caused enough confusion-. There is a public API to initialize
FIPS in SunJSSE, which is through the java.security configuration file
(when you pass an argument to the SunJSSE security provider line).

Thanks,
Martin.-