RFR: 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone after 8211883
Sean Mullan
sean.mullan at oracle.com
Mon Jan 28 19:48:20 UTC 2019
On 1/28/19 2:25 PM, Jamil Nimeh wrote:
> The change looks straightforward to me. One thing in the test code: if
> this were to ever be backported to 11 the ChaCha20-Poly1305 suites need
> to be removed from the ENABLED_UNLIMITED array.
Yes.
> But is fine for jdk/jdk
> and jdk12.
Great, thanks for the review.
--Sean
>
> --Jamil
>
> On 1/28/2019 10:26 AM, Sean Mullan wrote:
>> This fixes a regression introduced by the recent change to disable the
>> TLS NULL cipher suites [1]. This accidentally also disabled the
>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite because when the name
>> is decomposed by the algorithm constraints checking code it has NULL
>> for its different parts (key exchange, etc). But this cipher suite is
>> not negotiable and is only used for renegotiation purposes as defined
>> in RFC
>> 5746. It should not have been disabled.
>>
>> I also resurrected the CheckCipherSuites test which had an @ignore
>> label on it. This is a good test because it checks what the expected
>> enabled/supported suites should be, and will help catch issues like
>> this in the future.
>>
>> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217579/webrev.00/
>> bug: https://bugs.openjdk.java.net/browse/JDK-8217579
>>
>> Thanks,
>> Sean
>>
>> [1] https://bugs.openjdk.java.net/browse/JDK-8211883
>
More information about the security-dev
mailing list