[11u] RFR: 8226374: Restrict TLS signature schemes and named groups
Hohensee, Paul
hohensee at amazon.com
Wed Apr 7 23:00:36 UTC 2021
Hmm, could have sworn...
Thanks,
Paul
-----Original Message-----
From: "Langer, Christoph" <christoph.langer at sap.com>
Date: Wednesday, April 7, 2021 at 3:16 PM
To: "Hohensee, Paul" <hohensee at amazon.com>, "Doerr, Martin" <martin.doerr at sap.com>, jdk-updates-dev <jdk-updates-dev at openjdk.java.net>, security-dev <security-dev at openjdk.java.net>
Cc: "Lindenmaier, Goetz" <goetz.lindenmaier at sap.com>
Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups
Hi Paul,
thanks for the review. The CSR that Martin mentions is the one that Oracle has filed for 11.0.12-oracle. so we can simply reuse it.
As for 13, there exists a CSR as well: JDK-8256335
Best regards
Christoph
> -----Original Message-----
> From: Hohensee, Paul <hohensee at amazon.com>
> Sent: Mittwoch, 7. April 2021 23:42
> To: Doerr, Martin <martin.doerr at sap.com>; jdk-updates-dev <jdk-updates-
> dev at openjdk.java.net>; security-dev <security-dev at openjdk.java.net>
> Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>; Langer, Christoph
> <christoph.langer at sap.com>
> Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> The backport looks fine, except there's a missing blank line after FFDHE_2048
> in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be one
> for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> security person, so it would be great if someone who is reviews the CSR to
> see if there are any 11u-specific issues with it.
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: jdk-updates-dev <jdk-updates-dev-retn at openjdk.java.net> on
> behalf of "Doerr, Martin" <martin.doerr at sap.com>
> Date: Wednesday, April 7, 2021 at 9:10 AM
> To: jdk-updates-dev <jdk-updates-dev at openjdk.java.net>, security-dev
> <security-dev at openjdk.java.net>
> Cc: "Lindenmaier, Goetz" <goetz.lindenmaier at sap.com>, "Langer,
> Christoph" <christoph.langer at sap.com>
> Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hi,
>
> JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity.
> It doesn't apply cleanly. I've taken the 13u backport as source because it
> resolves the wrong backport order with JDK-8242141.
>
> Bug:
> https://bugs.openjdk.java.net/browse/JDK-8226374
>
> 11u CSR:
> https://bugs.openjdk.java.net/browse/JDK-8264555
>
> Original change (JDK14):
> https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
>
> 13u backport:
> https://github.com/openjdk/jdk13u-dev/commit/384445d2
>
> 11u rejected hunks (integrated manually):
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
>
> my new 11u backport:
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
>
> Please review.
>
> Best regards,
> Martin
>
More information about the security-dev
mailing list