RFR: 8370885: Default namedGroups values are not being filtered against algorithm constraints [v4]

Hai-May Chao hchao at openjdk.org
Thu Jan 15 10:27:06 UTC 2026 

On Fri, 2 Jan 2026 15:02:31 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> NamedGroup.SupportedGroups.namedGroups values are not being filtered against algorithm constraints, unlike other SSLParameters returned by SSLConfiguration#getSSLParameters() call. Those are the values being displayed to the user with "java -XshowSettings:security:tls" command.
>> 
>> Also making changes to avoid needless default group names lookup while we are touching this file.
>
> Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains five commits:
> 
>  - Merge branch 'master' into JDK-8370885
>    
>    # Conflicts:
>    #	src/java.base/share/classes/sun/security/ssl/NamedGroup.java
>  - Update copyright year
>  - Merge branch 'master' into JDK-8370885
>  - Merge branch 'master' into JDK-8370885
>    
>    # Conflicts:
>    #	src/java.base/share/classes/sun/security/ssl/NamedGroup.java
>  - 8370885: Default namedGroups values are not being filtered against algorithm constraints

src/java.base/share/classes/sun/security/ssl/NamedGroup.java line 780:

> 778:                 customizedGroups == null ?
> 779:                         null : Arrays.stream(customizedGroups)
> 780:                         .map(ng -> ng.name)

The filtering against algorithm constraints is not being done for customizedNames. Is it to preserve user’s selection and let constraints to be applied during handshake as before? It is different from defaultNames’s. Suggest to add some comments for it.

src/java.base/share/classes/sun/security/ssl/NamedGroup.java line 799:

> 797:         // Avoid the group lookup for default and customized groups.
> 798:         static NamedGroup[] getGroupsFromConfig(SSLConfiguration sslConfig) {
> 799:             if (sslConfig.namedGroups == defaultNames) {

Nit: getGroupsFromConfig() can choose from pre-initialized defaultGroups, customizedGroups, or sslConfig.namedGroups. Its name sounds like it reads something directly from SSLConfiguration.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/28397#discussion_r2693798265
PR Review Comment: https://git.openjdk.org/jdk/pull/28397#discussion_r2693809343

More information about the security-dev mailing list