RFR: 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone after 8211883
Jamil Nimeh
jamil.j.nimeh at oracle.com
Mon Jan 28 19:25:06 UTC 2019
The change looks straightforward to me. One thing in the test code: if
this were to ever be backported to 11 the ChaCha20-Poly1305 suites need
to be removed from the ENABLED_UNLIMITED array. But is fine for jdk/jdk
and jdk12.
--Jamil
On 1/28/2019 10:26 AM, Sean Mullan wrote:
> This fixes a regression introduced by the recent change to disable the
> TLS NULL cipher suites [1]. This accidentally also disabled the
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite because when the name
> is decomposed by the algorithm constraints checking code it has NULL
> for its different parts (key exchange, etc). But this cipher suite is
> not negotiable and is only used for renegotiation purposes as defined
> in RFC
> 5746. It should not have been disabled.
>
> I also resurrected the CheckCipherSuites test which had an @ignore
> label on it. This is a good test because it checks what the expected
> enabled/supported suites should be, and will help catch issues like
> this in the future.
>
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217579/webrev.00/
> bug: https://bugs.openjdk.java.net/browse/JDK-8217579
>
> Thanks,
> Sean
>
> [1] https://bugs.openjdk.java.net/browse/JDK-8211883
More information about the security-dev
mailing list