RFR: 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone after 8211883

Jamil Nimeh jamil.j.nimeh at oracle.com
Mon Jan 28 19:25:06 UTC 2019


The change looks straightforward to me.  One thing in the test code: if 
this were to ever be backported to 11 the ChaCha20-Poly1305 suites need 
to be removed from the ENABLED_UNLIMITED array.  But is fine for jdk/jdk 
and jdk12.

--Jamil

On 1/28/2019 10:26 AM, Sean Mullan wrote:
> This fixes a regression introduced by the recent change to disable the 
> TLS NULL cipher suites [1]. This accidentally also disabled the 
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite because when the name 
> is decomposed by the algorithm constraints checking code it has NULL 
> for its different parts (key exchange, etc). But this cipher suite is 
> not negotiable and is only used for renegotiation purposes as defined 
> in RFC
> 5746. It should not have been disabled.
>
> I also resurrected the CheckCipherSuites test which had an @ignore 
> label on it. This is a good test because it checks what the expected 
> enabled/supported suites should be, and will help catch issues like 
> this in the future.
>
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217579/webrev.00/
> bug: https://bugs.openjdk.java.net/browse/JDK-8217579
>
> Thanks,
> Sean
>
> [1] https://bugs.openjdk.java.net/browse/JDK-8211883




More information about the security-dev mailing list