[9]RFR 8136355: CKM_SSL3_KEY_AND_MAC_DERIVE no longer available by default on Solaris 12

Xuelei Fan xuelei.fan at oracle.com
Wed Sep 21 03:11:30 UTC 2016


P11TlsKeyMaterialGenerator.java
102-106:
There is a bug in the previous code. "&&" should be replaced with "||".
-   (version < 0x0300) && (version > 0x0302)
+   (version < 0x0300) || (version > 0x0302)

The other two have the same issues.  Otherwise, looks fine to me.

BTW, if client request to negotiate SSLv3, the server may not be able to 
select other crypto provider that supports SSLv3 at present.  We may 
want a further enhancement later.  As SSLv3 is fading out, this 
enhancement may be not our priority.  I filed a P3 RFE (JDK-8166425) for 
the tracking.

Xuelei


On 9/20/2016 8:31 AM, Valerie Peng wrote:
> Xuelei,
>
> Could you please help reviewing this change?
>
> There are quite a few test failures on Solaris 12 due to the removal of
> Solaris PKCS11 SSL3 mechanisms which SunPKCS11 provider assume to be
> always present. I updated relevant classes as well as regression tests
> to skip SSL3 testing when the support isn't there.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8136355
> Webrev: http://cr.openjdk.java.net/~valeriep/8136355/webrev.00/
>
> Thanks,
> Valerie


More information about the security-dev mailing list