[7u] RFR 8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
Alexey Bakhtin
alexey at azul.com
Thu Mar 11 09:49:59 UTC 2021
Hello Sergey,
Thank you for the backport.
I’m not reviewer but I verified your patch and it looks good to me.
Thank you
Alexey
> On 11 Mar 2021, at 11:19, Sergey Chernyshev <serge.chernyshev at bell-sw.com> wrote:
>
> Hello,
>
> Please review the backport of JDK-8233228. This is a parity backport with Oracle 7u281.
>
> Original bug: https://bugs.openjdk.java.net/browse/JDK-8233228
> 8u patch: https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/886fa7874189
> 7u webrev: http://cr.openjdk.java.net/~alexsch/sercher/8233228.7u/webrev.00/
>
> Please note the patch depends on, and applied on top of JDK-8035166 which is under review [1].
>
> The patch doesn't apply cleanly. The following changes were made, compared to 8u patch.
>
> - java.security-aix is not in 7u, skipped
> - in java.security-* jdk.tls.disabledAlgorithms fully disables RC4 in 8u.
> The proposed (clean) patch only includes jdk.disabled.namedCurves while still
> allowing RC4-based cipher suites in TLS (JDK-8076221 is not yet in 7u)
> - context change in DisabledAlgorithmConstraints.java, hunk #7
> - in AbstractAlgorithmConstraints.java, whitespace conflict + getAlgorithms() requires
> the parameter to be final, so to access it from anonymous inner class
> - context change in keytool/Main.java, hunk #1
>
>
> The following tests were run.
>
> java/security
> javax/crypto
> com/sun/crypto
> javax/xml/crypto
> com/sun/security
> lib/security
> javax/net
> javax/security
> sun/security
> com/sun/org/apache/xml/internal/security
> com/oracle/security
>
>
> Thanks,
>
> Sergey
>
>
> [1] https://mail.openjdk.java.net/pipermail/jdk7u-dev/2020-December/011069.html
>
> --
> Best regards,
> Sergey Chernyshev
> Bellsoft LLC
>
More information about the jdk7u-dev
mailing list