[7u] RFR 8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR

Sergey Chernyshev serge.chernyshev at bell-sw.com
Thu Mar 11 16:09:40 UTC 2021 

Yuri, thank you for the review.


On 11.03.2021 14:08, Yuri Nesterenko wrote:
> Fine, looks good to me.
>
> --yan
>
> On 11.03.2021 13:55, Sergey Chernyshev wrote:
>> Hi Alexey,
>>
>> Thank you for the review.
>>
>>
>> On 11.03.2021 12:49, Alexey Bakhtin wrote:
>>> Hello Sergey,
>>>
>>> Thank you for the backport.
>>> I’m not reviewer but I verified your patch and it looks good to me.
>>>
>>> Thank you
>>> Alexey
>>>
>>>> On 11 Mar 2021, at 11:19, Sergey Chernyshev <serge.chernyshev at bell-sw.com> wrote:
>>>>
>>>> Hello,
>>>>
>>>> Please review the backport of JDK-8233228. This is a parity backport with Oracle 7u281.
>>>>
>>>> Original bug: https://bugs.openjdk.java.net/browse/JDK-8233228
>>>> 8u patch: https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/886fa7874189
>>>> 7u webrev: http://cr.openjdk.java.net/~alexsch/sercher/8233228.7u/webrev.00/
>>>>
>>>> Please note the patch depends on, and applied on top of JDK-8035166 which is under review [1].
>>>>
>>>> The patch doesn't apply cleanly. The following changes were made, compared to 8u patch.
>>>>
>>>> - java.security-aix is not in 7u, skipped
>>>> - in java.security-* jdk.tls.disabledAlgorithms fully disables RC4 in 8u.
>>>>  The proposed (clean) patch only includes jdk.disabled.namedCurves while still
>>>>  allowing RC4-based cipher suites in TLS (JDK-8076221 is not yet in 7u)
>>>> - context change in DisabledAlgorithmConstraints.java, hunk #7
>>>> - in AbstractAlgorithmConstraints.java, whitespace conflict + getAlgorithms() requires
>>>>  the parameter to be final, so to access it from anonymous inner class
>>>> - context change in keytool/Main.java, hunk #1
>>>>
>>>>
>>>> The following tests were run.
>>>>
>>>> java/security
>>>> javax/crypto
>>>> com/sun/crypto
>>>> javax/xml/crypto
>>>> com/sun/security
>>>> lib/security
>>>> javax/net
>>>> javax/security
>>>> sun/security
>>>> com/sun/org/apache/xml/internal/security
>>>> com/oracle/security
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Sergey
>>>>
>>>>
>>>> [1] https://mail.openjdk.java.net/pipermail/jdk7u-dev/2020-December/011069.html
>>>>
>>>> --
>>>> Best regards,
>>>> Sergey Chernyshev
>>>> Bellsoft LLC
>>>>
-- 
Best regards,
Sergey Chernyshev
Bellsoft LLC

More information about the jdk7u-dev mailing list