RFR: 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone after 8211883

Sean Mullan sean.mullan at oracle.com
Mon Jan 28 18:26:36 UTC 2019


This fixes a regression introduced by the recent change to disable the 
TLS NULL cipher suites [1]. This accidentally also disabled the 
TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite because when the name is 
decomposed by the algorithm constraints checking code it has NULL for 
its different parts (key exchange, etc). But this cipher suite is not 
negotiable and is only used for renegotiation purposes as defined in RFC
5746. It should not have been disabled.

I also resurrected the CheckCipherSuites test which had an @ignore label 
on it. This is a good test because it checks what the expected 
enabled/supported suites should be, and will help catch issues like this 
in the future.

webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217579/webrev.00/
bug: https://bugs.openjdk.java.net/browse/JDK-8217579

Thanks,
Sean

[1] https://bugs.openjdk.java.net/browse/JDK-8211883



More information about the security-dev mailing list