[11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hohensee, Paul hohensee at amazon.com
Thu Apr 8 21:35:32 UTC 2021 

Ouch, missed that. Good to go.

Thanks,
Paul

-----Original Message-----
From: "Doerr, Martin" <martin.doerr at sap.com>
Date: Thursday, April 8, 2021 at 2:53 AM
To: "Hohensee, Paul" <hohensee at amazon.com>, "Langer, Christoph" <christoph.langer at sap.com>, jdk-updates-dev <jdk-updates-dev at openjdk.java.net>, security-dev <security-dev at openjdk.java.net>
Cc: "Lindenmaier, Goetz" <goetz.lindenmaier at sap.com>
Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hi Paul and Christoph,

thank you for the review and the approval.

I've added the blank line.
In addition, I've reviewed the whole change again and found a copy & paste bug in my webrev.00:
     SECT283_K1(0x0009, "sect283k1", true,
             NamedGroupSpec.NAMED_GROUP_ECDHE,
             ProtocolVersion.PROTOCOLS_TO_12,
-            CurveDB.lookup("sect163k1")),
+            CurveDB.lookup("sect283k1")),

This is the version I'm planning to push:
http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.01/

Tests have passed.

Best regards,
Martin


> -----Original Message-----
> From: Hohensee, Paul <hohensee at amazon.com>
> Sent: Donnerstag, 8. April 2021 01:01
> To: Langer, Christoph <christoph.langer at sap.com>; Doerr, Martin
> <martin.doerr at sap.com>; jdk-updates-dev <jdk-updates-
> dev at openjdk.java.net>; security-dev <security-dev at openjdk.java.net>
> Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hmm, could have sworn...
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: "Langer, Christoph" <christoph.langer at sap.com>
> Date: Wednesday, April 7, 2021 at 3:16 PM
> To: "Hohensee, Paul" <hohensee at amazon.com>, "Doerr, Martin"
> <martin.doerr at sap.com>, jdk-updates-dev <jdk-updates-
> dev at openjdk.java.net>, security-dev <security-dev at openjdk.java.net>
> Cc: "Lindenmaier, Goetz" <goetz.lindenmaier at sap.com>
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hi Paul,
>
> thanks for the review. The CSR that Martin mentions is the one that Oracle
> has filed for 11.0.12-oracle. so we can simply reuse it.
>
> As for 13, there exists a CSR as well: JDK-8256335
>
> Best regards
> Christoph
>
> > -----Original Message-----
> > From: Hohensee, Paul <hohensee at amazon.com>
> > Sent: Mittwoch, 7. April 2021 23:42
> > To: Doerr, Martin <martin.doerr at sap.com>; jdk-updates-dev <jdk-
> updates-
> > dev at openjdk.java.net>; security-dev <security-dev at openjdk.java.net>
> > Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>; Langer, Christoph
> > <christoph.langer at sap.com>
> > Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > The backport looks fine, except there's a missing blank line after
> FFDHE_2048
> > in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be
> one
> > for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> > security person, so it would be great if someone who is reviews the CSR to
> > see if there are any 11u-specific issues with it.
> >
> > Thanks,
> > Paul
> >
> > -----Original Message-----
> > From: jdk-updates-dev <jdk-updates-dev-retn at openjdk.java.net> on
> > behalf of "Doerr, Martin" <martin.doerr at sap.com>
> > Date: Wednesday, April 7, 2021 at 9:10 AM
> > To: jdk-updates-dev <jdk-updates-dev at openjdk.java.net>, security-dev
> > <security-dev at openjdk.java.net>
> > Cc: "Lindenmaier, Goetz" <goetz.lindenmaier at sap.com>, "Langer,
> > Christoph" <christoph.langer at sap.com>
> > Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hi,
> >
> > JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity.
> > It doesn't apply cleanly. I've taken the 13u backport as source because it
> > resolves the wrong backport order with JDK-8242141.
> >
> > Bug:
> > https://bugs.openjdk.java.net/browse/JDK-8226374
> >
> > 11u CSR:
> > https://bugs.openjdk.java.net/browse/JDK-8264555
> >
> > Original change (JDK14):
> > https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
> >
> > 13u backport:
> > https://github.com/openjdk/jdk13u-dev/commit/384445d2
> >
> > 11u rejected hunks (integrated manually):
> >
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
> >
> > my new 11u backport:
> > http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
> >
> > Please review.
> >
> > Best regards,
> > Martin
> >
>

More information about the security-dev mailing list