RFR: 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone after 8211883
Sean Mullan
sean.mullan at oracle.com
Mon Jan 28 18:26:36 UTC 2019
This fixes a regression introduced by the recent change to disable the
TLS NULL cipher suites [1]. This accidentally also disabled the
TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite because when the name is
decomposed by the algorithm constraints checking code it has NULL for
its different parts (key exchange, etc). But this cipher suite is not
negotiable and is only used for renegotiation purposes as defined in RFC
5746. It should not have been disabled.
I also resurrected the CheckCipherSuites test which had an @ignore label
on it. This is a good test because it checks what the expected
enabled/supported suites should be, and will help catch issues like this
in the future.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217579/webrev.00/
bug: https://bugs.openjdk.java.net/browse/JDK-8217579
Thanks,
Sean
[1] https://bugs.openjdk.java.net/browse/JDK-8211883
More information about the security-dev
mailing list