[9]RFR 8136355: CKM_SSL3_KEY_AND_MAC_DERIVE no longer available by default on Solaris 12

Seán Coffey sean.coffey at oracle.com
Thu Sep 22 07:53:54 UTC 2016


Thanks!

Regards,
Sean.

On 22 September 2016 00:40:15 GMT+01:00, Valerie Peng <valerie.peng at oracle.com> wrote:
>Alright, I included the hex value of the version to the exception
>message.
>In addition, one of the regression test was using 0x400 as the version 
>value and that has to be removed now that the version check has been 
>corrected.
>http://cr.openjdk.java.net/~valeriep/8136355/webrev.02/
>
>Thanks,
>Valerie
>
>On 9/21/2016 10:49 AM, Seán Coffey wrote:
>> Hey Valerie,
>>
>> There are a few calls in this code where an exception is thrown if a 
>> bad version is received. It's code that already existed, but would
>you 
>> mind enhancing the exceptions to print the version while editing the 
>> code there ?
>> e.g. P11TlsKeyMaterialGenerator.java
>>> +             throw new InvalidAlgorithmParameterException
>>> +                    ("Only" + (supportSSLv3? " SSL 3.0,": "") +
>>> +                     " TLS 1.0, and TLS 1.1 are supported");
>> Regards,
>> Sean.
>> On 21/09/16 18:28, Valerie Peng wrote:
>>> Good catch, I have fixed all three and updated the webrev:
>>> http://cr.openjdk.java.net/~valeriep/8136355/webrev.01
>>>
>>> Thanks for the prompt review~
>>> Valerie
>>>
>>> On 9/20/2016 8:11 PM, Xuelei Fan wrote:
>>>> P11TlsKeyMaterialGenerator.java
>>>> 102-106:
>>>> There is a bug in the previous code. "&&" should be replaced with
>"||".
>>>> -   (version < 0x0300) && (version > 0x0302)
>>>> +   (version < 0x0300) || (version > 0x0302)
>>>>
>>>> The other two have the same issues.  Otherwise, looks fine to me.
>>>>
>>>> BTW, if client request to negotiate SSLv3, the server may not be 
>>>> able to select other crypto provider that supports SSLv3 at 
>>>> present.  We may want a further enhancement later.  As SSLv3 is 
>>>> fading out, this enhancement may be not our priority.  I filed a P3
>
>>>> RFE (JDK-8166425) for the tracking.
>>>>
>>>> Xuelei
>>>>
>>>>
>>>> On 9/20/2016 8:31 AM, Valerie Peng wrote:
>>>>> Xuelei,
>>>>>
>>>>> Could you please help reviewing this change?
>>>>>
>>>>> There are quite a few test failures on Solaris 12 due to the 
>>>>> removal of
>>>>> Solaris PKCS11 SSL3 mechanisms which SunPKCS11 provider assume to
>be
>>>>> always present. I updated relevant classes as well as regression
>tests
>>>>> to skip SSL3 testing when the support isn't there.
>>>>>
>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8136355
>>>>> Webrev: http://cr.openjdk.java.net/~valeriep/8136355/webrev.00/
>>>>>
>>>>> Thanks,
>>>>> Valerie
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20160922/cb0dc357/attachment-0001.html>


More information about the security-dev mailing list