8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone after 8211883
Bernd Eckenfels
ecki at zusammenkunft.net
Mon Jan 28 19:54:31 UTC 2019
Hello Sean,
Maybe you also want to change comment and name of the SUPPORTE_DDEFAULT Array to „SUPPORTED_LIMITED“ since Unlimited is now Default?
private final static String[] ENABLED_DEFAULT
….
// supported ciphersuites using default JCE policy jurisdiction files
// AES/256 unavailable
private final static String[] SUPPORTED_DEFAULT = {
230 – remove „Default
Is the test already run with all available policies? With the new System property it should be easy to run it with other/vm twice?
Is Oracle considering pushing a emergency public update for this?
The change Looks otherwise fine (I was first wondering if checking for a _SVCS Family makes more sense but I guess that can be done once we have more of those ciphers.
Gruss
Bernd
--
http://bernd.eckenfels.net
Von: Sean Mullan
Gesendet: Montag, 28. Januar 2019 20:26
An: security Dev OpenJDK
Betreff: RFR: 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone after 8211883
This fixes a regression introduced by the recent change to disable the
TLS NULL cipher suites [1]. This accidentally also disabled the
TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite because when the name is
decomposed by the algorithm constraints checking code it has NULL for
its different parts (key exchange, etc). But this cipher suite is not
negotiable and is only used for renegotiation purposes as defined in RFC
5746. It should not have been disabled.
I also resurrected the CheckCipherSuites test which had an @ignore label
on it. This is a good test because it checks what the expected
enabled/supported suites should be, and will help catch issues like this
in the future.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217579/webrev.00/
bug: https://bugs.openjdk.java.net/browse/JDK-8217579
Thanks,
Sean
[1] https://bugs.openjdk.java.net/browse/JDK-8211883
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190128/b7a76506/attachment.htm>
More information about the security-dev
mailing list