[7u] RFR 8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
Sergey Chernyshev
serge.chernyshev at bell-sw.com
Thu Mar 11 08:19:42 UTC 2021
Hello,
Please review the backport of JDK-8233228. This is a parity backport with Oracle 7u281.
Original bug: https://bugs.openjdk.java.net/browse/JDK-8233228
8u patch: https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/886fa7874189
7u webrev: http://cr.openjdk.java.net/~alexsch/sercher/8233228.7u/webrev.00/
Please note the patch depends on, and applied on top of JDK-8035166 which is under review [1].
The patch doesn't apply cleanly. The following changes were made, compared to 8u patch.
- java.security-aix is not in 7u, skipped
- in java.security-* jdk.tls.disabledAlgorithms fully disables RC4 in 8u.
The proposed (clean) patch only includes jdk.disabled.namedCurves while still
allowing RC4-based cipher suites in TLS (JDK-8076221 is not yet in 7u)
- context change in DisabledAlgorithmConstraints.java, hunk #7
- in AbstractAlgorithmConstraints.java, whitespace conflict + getAlgorithms() requires
the parameter to be final, so to access it from anonymous inner class
- context change in keytool/Main.java, hunk #1
The following tests were run.
java/security
javax/crypto
com/sun/crypto
javax/xml/crypto
com/sun/security
lib/security
javax/net
javax/security
sun/security
com/sun/org/apache/xml/internal/security
com/oracle/security
Thanks,
Sergey
[1] https://mail.openjdk.java.net/pipermail/jdk7u-dev/2020-December/011069.html
--
Best regards,
Sergey Chernyshev
Bellsoft LLC
More information about the jdk7u-dev
mailing list