[8u] Request for enhancement backport approval for CR JDK-8029661 - Support TLS v1.2 algorithm in SunPKCS11 provider

Valerie Peng valerie.peng at oracle.com
Mon Oct 29 23:53:44 UTC 2018


Hi Martin,

The 8u changes look fine.

Just double checking, what are the platforms and regression tests which 
you use for validating the 8u backport?

Thanks,
Valerie

On 10/23/2018 5:18 AM, Martin Balao wrote:
> Hi Valerie,
>
> This backport was trivial, only a few changes required:
>
>  * Paths
>  * JDK-8210912 fix included [1]
>  * Minor adjustments when checking TLS version 
> in P11TlsKeyMaterialGenerator, P11TlsMasterSecretGenerator 
> and P11TlsRsaPremasterSecretGenerator
>
> Thanks,
> Martin.-
>
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8210912
>
> On Mon, Oct 22, 2018 at 7:17 PM, Valerie Peng <valerie.peng at oracle.com 
> <mailto:valerie.peng at oracle.com>> wrote:
>
>     Martin,
>
>     Sean asked me to help review this backport. Are the changes for 8u
>     identical to those for JDK 12 (minus the path differences)? Is
>     there any 8u specific modifications?
>
>     Thanks,
>
>     Valerie
>
>
>
>     On 10/15/2018 8:15 AM, Martin Balao wrote:
>
>         Hi Sean,
>
>         Any updates on this?
>
>         Kind regards,
>         Martin.-
>
>         On Tue, Sep 25, 2018 at 6:56 PM, Seán Coffey
>         <sean.coffey at oracle.com <mailto:sean.coffey at oracle.com>> wrote:
>
>             Thanks for logging this request Martin. Looking into this
>             and hope to
>             reply shortly.
>
>             regards,
>             Sean.
>
>
>
>             On 25/09/2018 10:07, Martin Balao wrote:
>
>                 Hi,
>
>                 I'd like to request an enhancement backport approval
>                 for JDK-8029661 [1].
>
>                 Supporting TLS v1.2 algorithms in SunPKCS11 crypto
>                 provider would be
>                 highly
>                 beneficial for operating in a FIPS-140 environment.
>                 This is highly
>                 critical
>                 for both security and compliance reasons to many
>                 OpenJDK users; including
>                 corporations, public sector and other organizations.
>                 TLS 1.2 is currently
>                 the most wide-spread TLS version.
>
>                 Changes done as part of this enhancement are
>                 constrained to SunPKCS11
>                 crypto provider and do not affect SSL/TLS code. Risk
>                 involved is low
>                 mainly
>                 because of the following reasons: 1) this enhancement
>                 is an extension on
>                 top of currently supported mechanisms (no major
>                 refactorings were
>                 applied);
>                 and, 2) backport is straight forward because affected
>                 code has not
>                 suffered
>                 major changes since JDK 8 release.
>
>                 JDK-8029661 has been reviewed by Valerie Peng on
>                 security-dev list [2] and
>                 has been merged to JDK [3] base line. Regression
>                 testing on
>                 sun/security/pkcs11 category experienced no
>                 regressions because of this
>                 enhancement on both JDK base line and JDK 8.
>
>                 JDK 8 backport webrev:
>
>                    *
>                 http://cr.openjdk.java.net/~mbalao/webrevs/8029661/
>                 <http://cr.openjdk.java.net/%7Embalao/webrevs/8029661/>
>                 8029661.webrev.10.jdk8u/
>                    *
>                 http://cr.openjdk.java.net/~mbalao/webrevs/8029661/
>                 <http://cr.openjdk.java.net/%7Embalao/webrevs/8029661/>
>                 8029661.webrev.10.jdk8u.zip
>
>                 Please note that this backport includes JDK-8210912
>                 fix [4].
>
>                 Thanks,
>                 Martin.-
>
>                 --
>                 [1] - https://bugs.openjdk.java.net/browse/JDK-8029661
>                 <https://bugs.openjdk.java.net/browse/JDK-8029661>
>                 [2] -
>                 http://mail.openjdk.java.net/pipermail/security-dev/
>                 <http://mail.openjdk.java.net/pipermail/security-dev/>
>                 2018-September/018278.html
>                 [3] -
>                 http://hg.openjdk.java.net/jdk/jdk/rev/bccd9966f1ed
>                 <http://hg.openjdk.java.net/jdk/jdk/rev/bccd9966f1ed>
>                 [4] - https://bugs.openjdk.java.net/browse/JDK-8210912
>                 <https://bugs.openjdk.java.net/browse/JDK-8210912>
>
>
>
>



More information about the jdk8u-dev mailing list