TlsRsaPremasterSecretParameterSpec
Gardiner Michael
Michael.Gardiner at gemalto.com
Tue Feb 7 21:29:40 UTC 2017
Hello Java Security Developers
We had a discussion a year and a bit ago about the
TlsRsaPremasterSecretParameterSpec being used in a way that doesn't seem to
make sense. I've attached the email from 2015, but the same question has
arisen.
It seems that the JSSE is expecting RSA Ciphers to be able to handle
TlsRsaPremasterSecretParameterSpec. Is the
TlsRsaPremasterSecretParameterSpec class going to move out of the status of
"@deprecated Sun JDK internal use only --- WILL BE REMOVED in a future
release" towards something that will be expected of RSA cipher instances to
interoperate with the JSSE?
This is a blocking issue currently with at least one large customer. We
could add some code in our provider to inspect if the parameter spec sent is
of the offending type, but I'd really rather not have to handle a deprecated
class that was never intended to be used outside of the Sun code base.
My current advice to this customer is:
1. Roll back to a previous version of Java that's not affected by this
behaviour change
2. Ensure the use of PFS cipher suites so the RSA key is used only for
identity and not key exchange
But both of those pieces of advice may not be practical in their situation.
Regards,
Mike Gardiner
Systems Security Architect
Gemalto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20170207/e3d8f574/attachment.htm>
-------------- next part --------------
An embedded message was scrubbed...
From: "Sean Mullan" <sean.mullan at oracle.com>
Subject: Re: 8028192 Use of PKCS11-NSS provider in FIPS mode broken
Date: Mon, 21 Sep 2015 14:15:34 -0500
Size: 4724
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20170207/e3d8f574/attachment.eml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6996 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20170207/e3d8f574/smime.p7s>
More information about the security-dev
mailing list