[11u] RFR: 8223482: Unsupported ciphersuites may be offered by a TLS client

Martin Balao mbalao at redhat.com
Tue Jul 23 17:01:22 UTC 2019


CC'ing security-dev.

Thanks,
Martin.-


On 7/18/19 4:38 PM, Martin Balao wrote:
> Hi,
> 
> I'd like to request a review for the jdk11u backport of 8223482 [1]:
> 
> http://cr.openjdk.java.net/~mbalao/webrevs/8223482/8223482.jdk11u.webrev.00/
> 
> There are 2 changes compared to the JDK version [2]:
> 
>  * SSLCipher.java
>   * "Cipher.getInstance" replaced with "JsseJce.getCipher" in
> SSLCipher::isTransformationAvailable
>    * JDK-11 has SunJSSE experimental FIPS support (which was removed in
> JDK), so we are able to check if the transformation is supported by
> SunJSSE's crypto provider. We don't need to check if it's supported by
> any provider because SunJSSE's crypto provider is the one that will be
> used for the TLS connection.
> 
>  * TestTLS12.java (FipsModeTLS12.java in JDK):
>   * The change in TestTLS12::initialize does not apply to JDK-11
>    * In JDK-11, we don't remove security providers because we are able
> to set the one that has to be used in SunJSSE (due to SunJSSE
> experimental FIPS support).
> 
> Testing:
> 
>  * No regressions found in:
>   * jdk/sun/security/pkcs11
>   * jdk/javax/net/ssl
>   * jdk/com/sun/crypto/provider/TLS
> 
>  * TestTLS12 updated to cover this patch
> 
> Thanks,
> Martin.-
> 
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8223482
> [2] - http://hg.openjdk.java.net/jdk/jdk/rev/d0f73fccf5f3
> 



More information about the security-dev mailing list