[11u] RFR: 8202343: Disable TLS 1.0 and 1.1

Langer, Christoph christoph.langer at sap.com
Thu Jan 14 10:04:45 UTC 2021 

Hi Severin,

your backport of this change looks good. Our nightly tests also show no regressions.
 
As for the TCK problems: Oracle informed us that one has to re-enable the algorithms to pass the JCK test suite. No changes or excludes to the current suite are planned. Re-enabling can be accomplished by  removing "TLSv1" and/or "TLSv1.1" from the `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file (e.g. by overriding settings).

So I think this is good to go now.

Best regards
Christoph

> -----Original Message-----
> From: Severin Gehwolf <sgehwolf at redhat.com>
> Sent: Donnerstag, 7. Januar 2021 15:30
> To: Langer, Christoph <christoph.langer at sap.com>; jdk-updates-dev <jdk-
> updates-dev at openjdk.java.net>
> Subject: Re: [11u] RFR: 8202343: Disable TLS 1.0 and 1.1
> 
> Hi Christoph,
> 
> On Thu, 2021-01-07 at 14:16 +0000, Langer, Christoph wrote:
> > Hi Severin,
> >
> > Happy new year!
> 
> Thanks. Happy new year to you too!
> 
> > This is not a review yet, I just wanted to let you know that we
> > started testing your backport, together with the two follow up items.
> >
> > Results so far look quite promising as far as regressions are
> > concerned. The only thing is that this change will break TCK as of
> > now, so we just asked Oracle on whether there will be a TCK update
> > for this. (I assume it must be...)
> >
> > Will get back to you.
> 
> OK, thank you!
> 
> Cheers,
> Severin
> 
> > Best regards
> > Christoph
> >
> > > -----Original Message-----
> > > From: jdk-updates-dev <jdk-updates-dev-retn at openjdk.java.net> On
> > > Behalf Of Severin Gehwolf
> > > Sent: Freitag, 18. Dezember 2020 19:35
> > > To: jdk-updates-dev <jdk-updates-dev at openjdk.java.net>
> > > Subject: [11u] RFR: 8202343: Disable TLS 1.0 and 1.1
> > >
> > > Hi,
> > >
> > > Please review this downport for disabling TLS 1.0 and 1.1 via the
> > > tls.disabledAlgorithms security property.
> > >
> > > The JDK 16 patch didn't apply cleanly. The differences are context
> > > changes mostly. The hunk to TlsContextTest.java has been omitted
> > > since
> > > that test has been introduced with JDK 12+ (via JDK-8239594, not in
> > > JDK
> > > 11). Once reviewed and approved my intention is to push this
> > > together
> > > with follow-ups JDK-8256682 and JDK-8257083.
> > >
> > > CSR for this is (reused from Oracle):
> > > https://bugs.openjdk.java.net/browse/JDK-8257122
> > >
> > > Bug: https://bugs.openjdk.java.net/browse/JDK-8202343
> > > webrev: https://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-
> > > 8202343/01/webrev/
> > >
> > > Testing: jdk_security tests. No regressions noted.
> > >
> > > Thoughts?
> > >
> > > Thanks,
> > > Severin
> >
>

More information about the jdk-updates-dev mailing list