[9]RFR 8136355: CKM_SSL3_KEY_AND_MAC_DERIVE no longer available by default on Solaris 12
Xuelei Fan
xuelei.fan at oracle.com
Wed Sep 21 03:11:30 UTC 2016
P11TlsKeyMaterialGenerator.java
102-106:
There is a bug in the previous code. "&&" should be replaced with "||".
- (version < 0x0300) && (version > 0x0302)
+ (version < 0x0300) || (version > 0x0302)
The other two have the same issues. Otherwise, looks fine to me.
BTW, if client request to negotiate SSLv3, the server may not be able to
select other crypto provider that supports SSLv3 at present. We may
want a further enhancement later. As SSLv3 is fading out, this
enhancement may be not our priority. I filed a P3 RFE (JDK-8166425) for
the tracking.
Xuelei
On 9/20/2016 8:31 AM, Valerie Peng wrote:
> Xuelei,
>
> Could you please help reviewing this change?
>
> There are quite a few test failures on Solaris 12 due to the removal of
> Solaris PKCS11 SSL3 mechanisms which SunPKCS11 provider assume to be
> always present. I updated relevant classes as well as regression tests
> to skip SSL3 testing when the support isn't there.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8136355
> Webrev: http://cr.openjdk.java.net/~valeriep/8136355/webrev.00/
>
> Thanks,
> Valerie
More information about the security-dev
mailing list