8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone after 8211883

Bernd Eckenfels ecki at zusammenkunft.net
Mon Jan 28 19:54:31 UTC 2019


Hello Sean,

Maybe you also want to change comment and name of the SUPPORTE_DDEFAULT Array to „SUPPORTED_LIMITED“ since Unlimited is now Default?

    private final static String[] ENABLED_DEFAULT
….
     // supported ciphersuites using default JCE policy jurisdiction files
     // AES/256 unavailable
     private final static String[] SUPPORTED_DEFAULT = {
230 – remove „Default

Is the test already run with all available policies? With the new System property it should be easy to run it with other/vm twice?

Is Oracle considering pushing a emergency public update for this?

The change Looks otherwise fine (I was first wondering if checking for a _SVCS Family makes more sense but I guess that can be done once we have more of those ciphers.

Gruss
Bernd
-- 
http://bernd.eckenfels.net

Von: Sean Mullan
Gesendet: Montag, 28. Januar 2019 20:26
An: security Dev OpenJDK
Betreff: RFR: 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone after 8211883

This fixes a regression introduced by the recent change to disable the 
TLS NULL cipher suites [1]. This accidentally also disabled the 
TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite because when the name is 
decomposed by the algorithm constraints checking code it has NULL for 
its different parts (key exchange, etc). But this cipher suite is not 
negotiable and is only used for renegotiation purposes as defined in RFC
5746. It should not have been disabled.

I also resurrected the CheckCipherSuites test which had an @ignore label 
on it. This is a good test because it checks what the expected 
enabled/supported suites should be, and will help catch issues like this 
in the future.

webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217579/webrev.00/
bug: https://bugs.openjdk.java.net/browse/JDK-8217579

Thanks,
Sean

[1] https://bugs.openjdk.java.net/browse/JDK-8211883

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190128/b7a76506/attachment.htm>


More information about the security-dev mailing list