[11u] RFR: 8206925: Support the certificate_authorities extension

Langer, Christoph christoph.langer at sap.com
Wed Mar 24 14:48:22 UTC 2021

Hi Martin,

your backport looks good. I see the new tests pass and our testing does not unveil other regressions. Reviewed.

Oracle has already included this item in 11.0.10 but it fell through the cracks for OpenJDK 11u due to an issue with the updates filter. However, it seems like an important item for TLS 1.3 usability. We have just received a customer request why this wasn’t included in 11u yet, they would need it for their product to move on to TLS 1.3. So I think we should strive for 11.0.11 with this backport. Please label accordingly. Adding @Andrew Haley<mailto:aph at redhat.com> and @Severin Gehwolf<mailto:sgehwolf at redhat.com> for their opinion on this decision ��

The CSR https://bugs.openjdk.java.net/browse/JDK-8248709 should apply to this backport, please link it to the JBS issue.

Thanks & Best regards

From: Doerr, Martin <martin.doerr at sap.com>
Sent: Dienstag, 23. März 2021 16:25
To: jdk-updates-dev at openjdk.java.net; security-dev <security-dev at openjdk.java.net>
Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>; Langer, Christoph <christoph.langer at sap.com>
Subject: [11u] RFR: 8206925: Support the certificate_authorities extension


JDK-8206925 was backported to 11.0.10-oracle, but it’s still missing in the Open Source version.
I'd like to backport it for parity.
It does apply cleanly, but I had to modify it, because the following change is not in 11u:


Original change:

11u backport:

Manual change to make it work without JDK-8215712 (SSLStringizer and derived classes don’t take a HandshakeContext in 11u):

Please review.

Best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20210324/fa3504d8/attachment.htm>

More information about the security-dev mailing list