[8u-dev] RFA + RFR (M): 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
Hohensee, Paul
hohensee at amazon.com
Fri Feb 22 22:48:35 UTC 2019
Thank you for your review, Christoph.
Paul
On 2/22/19, 6:51 AM, "Langer, Christoph" <christoph.langer at sap.com> wrote:
Hi Paul,
the backport change looks good to me. I've labeled JDK-8217579 with jdk8u-fix-request.
Best regards
Christoph
> -----Original Message-----
> From: jdk8u-dev <jdk8u-dev-bounces at openjdk.java.net> On Behalf Of
> Hohensee, Paul
> Sent: Freitag, 22. Februar 2019 02:34
> To: jdk8u-dev at openjdk.java.net
> Subject: [8u-dev] RFA + RFR (M): 8217579:
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
>
> Please review/approve this backport to 8u that is tagged by Oracle for 8u211.
>
> JBS: https://bugs.openjdk.java.net/browse/JDK-8217579
> Webrev: http://cr.openjdk.java.net/~phh/8217579/webrev.8u.00/
> jdk11u backport patch: http://hg.openjdk.java.net/jdk-
> updates/jdk11u/rev/dd764f251274
> Original patch: http://hg.openjdk.java.net/jdk/jdk/rev/ad3438957ff5
>
> jdk11u backport review thread:
> https://mail.openjdk.java.net/pipermail/security-dev/2019-
> January/019271.html
> Original review thread: https://mail.openjdk.java.net/pipermail/security-
> dev/2019-January/019256.html
>
>
>
> There are 3 differences between this patch and the jdk11u patch.
>
>
>
> The first is that the 8u change in SSLAlgorithmDecomposer.java compares
> against CipherSuite.C_SCSV rather than
> CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV. C_SCSV appears to
> be the 8u equivalent of 11u’s TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
>
>
>
> The second is that the TLS_AES_128_GCM_SHA256 and
> TLS_AES_256_GCM_SHA384 ciphers do not appear to be supported by 8u.
>
>
>
> Finally, the cipher dump order in CheckCipherSuites.java is different in 8u
> compared to 11u, though the number and names of the ciphers are the same
> (other than the two above).
>
>
>
> Thanks,
>
>
>
> Paul
>
>
More information about the jdk8u-dev
mailing list