[11u] RFR: 8171279: Support X25519 and X448 in TLS
Lindenmaier, Goetz
goetz.lindenmaier at sap.com
Wed Oct 7 07:47:47 UTC 2020
Hi Martin,
Thanks for reviewing this!
> thanks for backporting this change. I think it's good to put it into 11.0.10,
> now, so we have enough testing time.
> > Enums are moved to a file of their own: NamedGroup.java
> > Removing the enums does not apply because in 13 FIPS support was
> > removed.
> So you just deleted them manually. Fine.
Yes.
> > Also, a name string was added.
> You mean "String name" in the code you removed?
Yes.
> > The supported group types differ, too.
> That's expected. Did that cause manual integration?
Yes, I had to resolve these parts.
It is chunk @@ -531,24 +211,33 @@
in
http://cr.openjdk.java.net/~goetz/wr20/8171279-X25519_in_TLS-jdk11/01/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java.udiff.html
> > The NamedGroups enum is moved to a file of it's own.
> > Before this change, the named Groups knew about FIPS in 11. The new
> > ones don't.
> > https://bugs.openjdk.java.net/browse/JDK-8217835 "Remove the
> > experimental SunJSSE FIPS compliant mode"
> > removed FIPS support in 13 before this change was implemented.
> >
> > As I understand 8217835, the experimental FIPS feature cannot be used in
> > 11, it just remained in the code. So I skipped adapting NamedGroups to the
> > old behaviour, I can not test it anyways.
> > What do you think, do we need to add this code to NamedGroupd.java
> > again?
> Sounds like this is ok according to the CSR
> https://bugs.openjdk.java.net/browse/JDK-8217907
> Since this file is new with this backport, I prefer keeping it like the original
> one for the backport.
> We could open a new bug in case anybody wants it back, but I guess that's
> not the case.
Ok, good.
I think restoring that functionality would be a wasted effort.
> There's still some Fips code there:
> (!requireFips || namedGroup.isFips)*/ ) { // GL fix isFips
> With a comment!
> What are you planning to do with it?
Remove it if we decide to drop FIPS support.
Else I would have to reactivate it I guess.
I would like to get a second opinion on the FIPS issue from
someone outside SAP.
Thanks and best regards,
Goetz.
More information about the jdk-updates-dev
mailing list