[11u] RFR: 8223482: Unsupported ciphersuites may be offered by a TLS client
Martin Balao
mbalao at redhat.com
Tue Jul 23 17:01:22 UTC 2019
CC'ing security-dev.
Thanks,
Martin.-
On 7/18/19 4:38 PM, Martin Balao wrote:
> Hi,
>
> I'd like to request a review for the jdk11u backport of 8223482 [1]:
>
> http://cr.openjdk.java.net/~mbalao/webrevs/8223482/8223482.jdk11u.webrev.00/
>
> There are 2 changes compared to the JDK version [2]:
>
> * SSLCipher.java
> * "Cipher.getInstance" replaced with "JsseJce.getCipher" in
> SSLCipher::isTransformationAvailable
> * JDK-11 has SunJSSE experimental FIPS support (which was removed in
> JDK), so we are able to check if the transformation is supported by
> SunJSSE's crypto provider. We don't need to check if it's supported by
> any provider because SunJSSE's crypto provider is the one that will be
> used for the TLS connection.
>
> * TestTLS12.java (FipsModeTLS12.java in JDK):
> * The change in TestTLS12::initialize does not apply to JDK-11
> * In JDK-11, we don't remove security providers because we are able
> to set the one that has to be used in SunJSSE (due to SunJSSE
> experimental FIPS support).
>
> Testing:
>
> * No regressions found in:
> * jdk/sun/security/pkcs11
> * jdk/javax/net/ssl
> * jdk/com/sun/crypto/provider/TLS
>
> * TestTLS12 updated to cover this patch
>
> Thanks,
> Martin.-
>
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8223482
> [2] - http://hg.openjdk.java.net/jdk/jdk/rev/d0f73fccf5f3
>
More information about the security-dev
mailing list