[8u-dev] RFA + RFR (M): 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883

Hohensee, Paul hohensee at amazon.com
Fri Feb 22 01:33:56 UTC 2019

Please review/approve this backport to 8u that is tagged by Oracle for 8u211.

JBS: https://bugs.openjdk.java.net/browse/JDK-8217579
Webrev: http://cr.openjdk.java.net/~phh/8217579/webrev.8u.00/
jdk11u backport patch: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/dd764f251274
Original patch: http://hg.openjdk.java.net/jdk/jdk/rev/ad3438957ff5

jdk11u backport review thread: https://mail.openjdk.java.net/pipermail/security-dev/2019-January/019271.html
Original review thread: https://mail.openjdk.java.net/pipermail/security-dev/2019-January/019256.html

There are 3 differences between this patch and the jdk11u patch.

The first is that the 8u change in SSLAlgorithmDecomposer.java compares against CipherSuite.C_SCSV rather than CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV. C_SCSV appears to be the 8u equivalent of 11u’s TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

The second is that the TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 ciphers do not appear to be supported by 8u.

Finally, the cipher dump order in CheckCipherSuites.java is different in 8u compared to 11u, though the number and names of the ciphers are the same (other than the two above).



More information about the jdk8u-dev mailing list