[jdk8u-dev] RFR: 8308592: Framework for CA interoperability testing [v2]
Andrew John Hughes
andrew at openjdk.org
Tue Nov 28 15:15:10 UTC 2023
On Tue, 28 Nov 2023 15:09:10 GMT, Andrew John Hughes <andrew at openjdk.org> wrote:
>> This looks good. The reason why `certignarootca` test fails is the different defaults for `jdk.tls.client.enableStatusRequestExtension` between JDK 11 and JDK 8 in `SSLContextImpl.java`. The former has it set to `true` the latter to `false` as per the TLS 1.3 backport to 8. Without it the `ClientHello` won't have the `status_request` extension, which is required for the test to pass.
>>
>> I suggest to set this to `true` in the affected test only (or set it to true globally in `CAInterop.java`). Either way I'd include this in this backport.
>
>> This looks good. The reason why `certignarootca` test fails is the different defaults for `jdk.tls.client.enableStatusRequestExtension` between JDK 11 and JDK 8 in `SSLContextImpl.java`. The former has it set to `true` the latter to `false` as per the TLS 1.3 backport to 8. Without it the `ClientHello` won't have the `status_request` extension, which is required for the test to pass.
>>
>> I suggest to set this to `true` in the affected test only (or set it to true globally in `CAInterop.java`). Either way I'd include this in this backport.
>
> Good catch. Looks like all tests pass with this enabled in `ValidatePathWithURL.java`
> ~~~
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#actalisauthenticationrootca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca1
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca2
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca3
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca4
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass2ca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass3ca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certignarootca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodoeccca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodorsaca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcaec1
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcag4
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigneccrootcar4
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsignrootcar6
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#godaddyrootg2ca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar1
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar2
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInt...
> @gnu-andrew Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See [OpenJDK Developers’ Guide](https://openjdk.org/guide/#working-with-pull-requests) for more information.
Yeah, I'm not going to merge over half a dozen commits manually, bot, when Git is smart enough to match them against the ones you pushed to 8u-dev and just drop them.
-------------
PR Comment: https://git.openjdk.org/jdk8u-dev/pull/390#issuecomment-1830045506
More information about the jdk8u-dev
mailing list