<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=DE link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hello Sean,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Maybe you also want to change comment and name of the SUPPORTE_DDEFAULT Array to „SUPPORTED_LIMITED“ since Unlimited is now Default?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><pre><span lang=EN-US style='color:black'> private final static String[] ENABLED_DEFAULT<o:p></o:p></span></pre></div><p class=MsoNormal><span lang=EN-US>….<o:p></o:p></span></p><div><pre><span lang=EN-US style='color:black'> // supported ciphersuites using default JCE policy jurisdiction files<o:p></o:p></span></pre><pre><span lang=EN-US style='color:black'> // AES/256 unavailable<o:p></o:p></span></pre><pre><span lang=EN-US style='color:black'> private final static String[] SUPPORTED_DEFAULT = {<o:p></o:p></span></pre><pre><span lang=EN-US style='color:black'>230 – remove „Default<o:p></o:p></span></pre></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Is the test already run with all available policies? With the new System property it should be easy to run it with other/vm twice?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Is Oracle considering pushing a emergency public update for this?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>The change Looks otherwise fine (I was first wondering if checking for a _SVCS Family makes more sense but I guess that can be done once we have more of those ciphers.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Gruss<o:p></o:p></span></p><p class=MsoNormal>Bernd</p><p class=MsoNormal>-- <br>http://bernd.eckenfels.net</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>Von: </b><a href="mailto:sean.mullan@oracle.com">Sean Mullan</a><br><b>Gesendet: </b>Montag, 28. Januar 2019 20:26<br><b>An: </b><a href="mailto:security-dev@openjdk.java.net">security Dev OpenJDK</a><br><b>Betreff: </b>RFR: 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone after 8211883</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This fixes a regression introduced by the recent change to disable the </p><p class=MsoNormal>TLS NULL cipher suites [1]. This accidentally also disabled the </p><p class=MsoNormal>TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite because when the name is </p><p class=MsoNormal>decomposed by the algorithm constraints checking code it has NULL for </p><p class=MsoNormal>its different parts (key exchange, etc). But this cipher suite is not </p><p class=MsoNormal>negotiable and is only used for renegotiation purposes as defined in RFC</p><p class=MsoNormal>5746. It should not have been disabled.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I also resurrected the CheckCipherSuites test which had an @ignore label </p><p class=MsoNormal>on it. This is a good test because it checks what the expected </p><p class=MsoNormal>enabled/supported suites should be, and will help catch issues like this </p><p class=MsoNormal>in the future.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217579/webrev.00/</p><p class=MsoNormal>bug: https://bugs.openjdk.java.net/browse/JDK-8217579</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,</p><p class=MsoNormal>Sean</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>[1] https://bugs.openjdk.java.net/browse/JDK-8211883</p><p class=MsoNormal><o:p> </o:p></p></div></body></html>