[9]RFR 8136355: CKM_SSL3_KEY_AND_MAC_DERIVE no longer available by default on Solaris 12
Valerie Peng
valerie.peng at oracle.com
Wed Sep 21 17:28:51 UTC 2016
Good catch, I have fixed all three and updated the webrev:
http://cr.openjdk.java.net/~valeriep/8136355/webrev.01
Thanks for the prompt review~
Valerie
On 9/20/2016 8:11 PM, Xuelei Fan wrote:
> P11TlsKeyMaterialGenerator.java
> 102-106:
> There is a bug in the previous code. "&&" should be replaced with "||".
> - (version < 0x0300) && (version > 0x0302)
> + (version < 0x0300) || (version > 0x0302)
>
> The other two have the same issues. Otherwise, looks fine to me.
>
> BTW, if client request to negotiate SSLv3, the server may not be able
> to select other crypto provider that supports SSLv3 at present. We
> may want a further enhancement later. As SSLv3 is fading out, this
> enhancement may be not our priority. I filed a P3 RFE (JDK-8166425)
> for the tracking.
>
> Xuelei
>
>
> On 9/20/2016 8:31 AM, Valerie Peng wrote:
>> Xuelei,
>>
>> Could you please help reviewing this change?
>>
>> There are quite a few test failures on Solaris 12 due to the removal of
>> Solaris PKCS11 SSL3 mechanisms which SunPKCS11 provider assume to be
>> always present. I updated relevant classes as well as regression tests
>> to skip SSL3 testing when the support isn't there.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8136355
>> Webrev: http://cr.openjdk.java.net/~valeriep/8136355/webrev.00/
>>
>> Thanks,
>> Valerie
More information about the security-dev
mailing list