[11u] RFR: 8226374: Restrict TLS signature schemes and named groups
Doerr, Martin
martin.doerr at sap.com
Fri Apr 9 09:19:05 UTC 2021
That one was hard to see. Pushed.
Thanks,
Martin
> -----Original Message-----
> From: Hohensee, Paul <hohensee at amazon.com>
> Sent: Donnerstag, 8. April 2021 23:36
> To: Doerr, Martin <martin.doerr at sap.com>; Langer, Christoph
> <christoph.langer at sap.com>; jdk-updates-dev <jdk-updates-
> dev at openjdk.java.net>; security-dev <security-dev at openjdk.java.net>
> Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Ouch, missed that. Good to go.
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: "Doerr, Martin" <martin.doerr at sap.com>
> Date: Thursday, April 8, 2021 at 2:53 AM
> To: "Hohensee, Paul" <hohensee at amazon.com>, "Langer, Christoph"
> <christoph.langer at sap.com>, jdk-updates-dev <jdk-updates-
> dev at openjdk.java.net>, security-dev <security-dev at openjdk.java.net>
> Cc: "Lindenmaier, Goetz" <goetz.lindenmaier at sap.com>
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hi Paul and Christoph,
>
> thank you for the review and the approval.
>
> I've added the blank line.
> In addition, I've reviewed the whole change again and found a copy & paste
> bug in my webrev.00:
> SECT283_K1(0x0009, "sect283k1", true,
> NamedGroupSpec.NAMED_GROUP_ECDHE,
> ProtocolVersion.PROTOCOLS_TO_12,
> - CurveDB.lookup("sect163k1")),
> + CurveDB.lookup("sect283k1")),
>
> This is the version I'm planning to push:
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.01/
>
> Tests have passed.
>
> Best regards,
> Martin
>
>
> > -----Original Message-----
> > From: Hohensee, Paul <hohensee at amazon.com>
> > Sent: Donnerstag, 8. April 2021 01:01
> > To: Langer, Christoph <christoph.langer at sap.com>; Doerr, Martin
> > <martin.doerr at sap.com>; jdk-updates-dev <jdk-updates-
> > dev at openjdk.java.net>; security-dev <security-dev at openjdk.java.net>
> > Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>
> > Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hmm, could have sworn...
> >
> > Thanks,
> > Paul
> >
> > -----Original Message-----
> > From: "Langer, Christoph" <christoph.langer at sap.com>
> > Date: Wednesday, April 7, 2021 at 3:16 PM
> > To: "Hohensee, Paul" <hohensee at amazon.com>, "Doerr, Martin"
> > <martin.doerr at sap.com>, jdk-updates-dev <jdk-updates-
> > dev at openjdk.java.net>, security-dev <security-dev at openjdk.java.net>
> > Cc: "Lindenmaier, Goetz" <goetz.lindenmaier at sap.com>
> > Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hi Paul,
> >
> > thanks for the review. The CSR that Martin mentions is the one that Oracle
> > has filed for 11.0.12-oracle. so we can simply reuse it.
> >
> > As for 13, there exists a CSR as well: JDK-8256335
> >
> > Best regards
> > Christoph
> >
> > > -----Original Message-----
> > > From: Hohensee, Paul <hohensee at amazon.com>
> > > Sent: Mittwoch, 7. April 2021 23:42
> > > To: Doerr, Martin <martin.doerr at sap.com>; jdk-updates-dev <jdk-
> > updates-
> > > dev at openjdk.java.net>; security-dev <security-dev at openjdk.java.net>
> > > Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>; Langer,
> Christoph
> > > <christoph.langer at sap.com>
> > > Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and
> named
> > > groups
> > >
> > > The backport looks fine, except there's a missing blank line after
> > FFDHE_2048
> > > in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be
> > one
> > > for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> > > security person, so it would be great if someone who is reviews the CSR
> to
> > > see if there are any 11u-specific issues with it.
> > >
> > > Thanks,
> > > Paul
> > >
> > > -----Original Message-----
> > > From: jdk-updates-dev <jdk-updates-dev-retn at openjdk.java.net> on
> > > behalf of "Doerr, Martin" <martin.doerr at sap.com>
> > > Date: Wednesday, April 7, 2021 at 9:10 AM
> > > To: jdk-updates-dev <jdk-updates-dev at openjdk.java.net>, security-dev
> > > <security-dev at openjdk.java.net>
> > > Cc: "Lindenmaier, Goetz" <goetz.lindenmaier at sap.com>, "Langer,
> > > Christoph" <christoph.langer at sap.com>
> > > Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > > groups
> > >
> > > Hi,
> > >
> > > JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for
> parity.
> > > It doesn't apply cleanly. I've taken the 13u backport as source because it
> > > resolves the wrong backport order with JDK-8242141.
> > >
> > > Bug:
> > > https://bugs.openjdk.java.net/browse/JDK-8226374
> > >
> > > 11u CSR:
> > > https://bugs.openjdk.java.net/browse/JDK-8264555
> > >
> > > Original change (JDK14):
> > > https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
> > >
> > > 13u backport:
> > > https://github.com/openjdk/jdk13u-dev/commit/384445d2
> > >
> > > 11u rejected hunks (integrated manually):
> > >
> >
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
> > >
> > > my new 11u backport:
> > > http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
> > >
> > > Please review.
> > >
> > > Best regards,
> > > Martin
> > >
> >
>
More information about the security-dev
mailing list