[9]RFR 8136355: CKM_SSL3_KEY_AND_MAC_DERIVE no longer available by default on Solaris 12

Valerie Peng valerie.peng at oracle.com
Wed Sep 21 17:28:51 UTC 2016


Good catch, I have fixed all three and updated the webrev:
http://cr.openjdk.java.net/~valeriep/8136355/webrev.01

Thanks for the prompt review~
Valerie

On 9/20/2016 8:11 PM, Xuelei Fan wrote:
> P11TlsKeyMaterialGenerator.java
> 102-106:
> There is a bug in the previous code. "&&" should be replaced with "||".
> -   (version < 0x0300) && (version > 0x0302)
> +   (version < 0x0300) || (version > 0x0302)
>
> The other two have the same issues.  Otherwise, looks fine to me.
>
> BTW, if client request to negotiate SSLv3, the server may not be able 
> to select other crypto provider that supports SSLv3 at present.  We 
> may want a further enhancement later.  As SSLv3 is fading out, this 
> enhancement may be not our priority.  I filed a P3 RFE (JDK-8166425) 
> for the tracking.
>
> Xuelei
>
>
> On 9/20/2016 8:31 AM, Valerie Peng wrote:
>> Xuelei,
>>
>> Could you please help reviewing this change?
>>
>> There are quite a few test failures on Solaris 12 due to the removal of
>> Solaris PKCS11 SSL3 mechanisms which SunPKCS11 provider assume to be
>> always present. I updated relevant classes as well as regression tests
>> to skip SSL3 testing when the support isn't there.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8136355
>> Webrev: http://cr.openjdk.java.net/~valeriep/8136355/webrev.00/
>>
>> Thanks,
>> Valerie



More information about the security-dev mailing list