[9]RFR 8136355: CKM_SSL3_KEY_AND_MAC_DERIVE no longer available by default on Solaris 12

Seán Coffey sean.coffey at oracle.com
Wed Sep 21 17:49:04 UTC 2016 

Hey Valerie,

There are a few calls in this code where an exception is thrown if a bad 
version is received. It's code that already existed, but would you mind 
enhancing the exceptions to print the version while editing the code there ?
e.g. P11TlsKeyMaterialGenerator.java
> +             throw new InvalidAlgorithmParameterException
> +                    ("Only" + (supportSSLv3? " SSL 3.0,": "") +
> +                     " TLS 1.0, and TLS 1.1 are supported");

Regards,
Sean.

On 21/09/16 18:28, Valerie Peng wrote:
> Good catch, I have fixed all three and updated the webrev:
> http://cr.openjdk.java.net/~valeriep/8136355/webrev.01
>
> Thanks for the prompt review~
> Valerie
>
> On 9/20/2016 8:11 PM, Xuelei Fan wrote:
>> P11TlsKeyMaterialGenerator.java
>> 102-106:
>> There is a bug in the previous code. "&&" should be replaced with "||".
>> -   (version < 0x0300) && (version > 0x0302)
>> +   (version < 0x0300) || (version > 0x0302)
>>
>> The other two have the same issues.  Otherwise, looks fine to me.
>>
>> BTW, if client request to negotiate SSLv3, the server may not be able 
>> to select other crypto provider that supports SSLv3 at present.  We 
>> may want a further enhancement later.  As SSLv3 is fading out, this 
>> enhancement may be not our priority.  I filed a P3 RFE (JDK-8166425) 
>> for the tracking.
>>
>> Xuelei
>>
>>
>> On 9/20/2016 8:31 AM, Valerie Peng wrote:
>>> Xuelei,
>>>
>>> Could you please help reviewing this change?
>>>
>>> There are quite a few test failures on Solaris 12 due to the removal of
>>> Solaris PKCS11 SSL3 mechanisms which SunPKCS11 provider assume to be
>>> always present. I updated relevant classes as well as regression tests
>>> to skip SSL3 testing when the support isn't there.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8136355
>>> Webrev: http://cr.openjdk.java.net/~valeriep/8136355/webrev.00/
>>>
>>> Thanks,
>>> Valerie
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20160921/75ced79e/attachment.htm>

More information about the security-dev mailing list