RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite [v5]
Lothar Kimmeringer
job at kimmeringer.de
Fri Nov 8 11:07:01 UTC 2024
Am 08.11.2024 um 03:15 schrieb David Schlosnagle:
> On Thu, 7 Nov 2024 22:13:04 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
I've tried to comment on Github but the bot that required me to accept the
TOS doesn't seem to automatically restore it while stating the opposite in
the comment. I don't want to fight that bot so I use this way instead.
> src/java.base/share/classes/sun/security/util/AbstractAlgorithmConstraints.java line 127:
>
>> 125: return patternCache.computeIfAbsent(
>> 126: pattern,
>> 127: p -> Pattern.compile(p.replace("*", ".*")))
>
> Do we care if one uses other regex matching characters as part of the pattern input,
> e.g. should `TLS_[a-zA-Z0-9_]+` be a valid input that disables some algorithms?
I've asked myself the same thing and I think that - if that's not supposed to be
allowed - the following should solve that:
p -> Pattern.compile("^\\Q" + p.replace("*", "\\E.*\\Q") + "\\E$")
Cheers, Lothar
More information about the security-dev
mailing list