subject:"RE\: \[11u\] RFR\: 8226374\: Restrict TLS signature schemes and named groups"

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

2021-04-09 Thread Doerr, Martin

That one was hard to see. Pushed.

Thanks,
Martin


> -Original Message-
> From: Hohensee, Paul 
> Sent: Donnerstag, 8. April 2021 23:36
> To: Doerr, Martin ; Langer, Christoph
> ; jdk-updates-dev  d...@openjdk.java.net>; security-dev 
> Cc: Lindenmaier, Goetz 
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
> 
> Ouch, missed that. Good to go.
> 
> Thanks,
> Paul
> 
> -Original Message-
> From: "Doerr, Martin" 
> Date: Thursday, April 8, 2021 at 2:53 AM
> To: "Hohensee, Paul" , "Langer, Christoph"
> , jdk-updates-dev  d...@openjdk.java.net>, security-dev 
> Cc: "Lindenmaier, Goetz" 
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
> 
> Hi Paul and Christoph,
> 
> thank you for the review and the approval.
> 
> I've added the blank line.
> In addition, I've reviewed the whole change again and found a copy & paste
> bug in my webrev.00:
>  SECT283_K1(0x0009, "sect283k1", true,
>  NamedGroupSpec.NAMED_GROUP_ECDHE,
>  ProtocolVersion.PROTOCOLS_TO_12,
> -CurveDB.lookup("sect163k1")),
> +CurveDB.lookup("sect283k1")),
> 
> This is the version I'm planning to push:
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.01/
> 
> Tests have passed.
> 
> Best regards,
> Martin
> 
> 
> > -Original Message-
> > From: Hohensee, Paul 
> > Sent: Donnerstag, 8. April 2021 01:01
> > To: Langer, Christoph ; Doerr, Martin
> > ; jdk-updates-dev  > d...@openjdk.java.net>; security-dev 
> > Cc: Lindenmaier, Goetz 
> > Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hmm, could have sworn...
> >
> > Thanks,
> > Paul
> >
> > -----Original Message-
> > From: "Langer, Christoph" 
> > Date: Wednesday, April 7, 2021 at 3:16 PM
> > To: "Hohensee, Paul" , "Doerr, Martin"
> > , jdk-updates-dev  > d...@openjdk.java.net>, security-dev 
> > Cc: "Lindenmaier, Goetz" 
> > Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hi Paul,
> >
> > thanks for the review. The CSR that Martin mentions is the one that Oracle
> > has filed for 11.0.12-oracle. so we can simply reuse it.
> >
> > As for 13, there exists a CSR as well: JDK-8256335
> >
> > Best regards
> > Christoph
> >
> > > -Original Message-
> > > From: Hohensee, Paul 
> > > Sent: Mittwoch, 7. April 2021 23:42
> > > To: Doerr, Martin ; jdk-updates-dev  > updates-
> > > d...@openjdk.java.net>; security-dev 
> > > Cc: Lindenmaier, Goetz ; Langer,
> Christoph
> > > 
> > > Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and
> named
> > > groups
> > >
> > > The backport looks fine, except there's a missing blank line after
> > FFDHE_2048
> > > in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be
> > one
> > > for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> > > security person, so it would be great if someone who is reviews the CSR
> to
> > > see if there are any 11u-specific issues with it.
> > >
> > > Thanks,
> > > Paul
> > >
> > > -Original Message-
> > > From: jdk-updates-dev  on
> > > behalf of "Doerr, Martin" 
> > > Date: Wednesday, April 7, 2021 at 9:10 AM
> > > To: jdk-updates-dev , security-dev
> > > 
> > > Cc: "Lindenmaier, Goetz" , "Langer,
> > > Christoph" 
> > > Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > > groups
> > >
> > > Hi,
> > >
> > > JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for
> parity.
> > > It doesn't apply cleanly. I've taken the 13u backport as source because it
> > > resolves the wrong backport order with JDK-8242141.
> > >
> > > Bug:
> > > https://bugs.openjdk.java.net/browse/JDK-8226374
> > >
> > > 11u CSR:
> > > https://bugs.openjdk.java.net/browse/JDK-8264555
> > >
> > > Original change (JDK14):
> > > https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
> > >
> > > 13u backport:
> > > https://github.com/openjdk/jdk13u-dev/commit/384445d2
> > >
> > > 11u rejected hunks (integrated manually):
> > >
> >
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
> > >
> > > my new 11u backport:
> > > http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
> > >
> > > Please review.
> > >
> > > Best regards,
> > > Martin
> > >
> >
>

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

2021-04-08 Thread Hohensee, Paul

Ouch, missed that. Good to go.

Thanks,
Paul

-Original Message-
From: "Doerr, Martin" 
Date: Thursday, April 8, 2021 at 2:53 AM
To: "Hohensee, Paul" , "Langer, Christoph" 
, jdk-updates-dev , 
security-dev 
Cc: "Lindenmaier, Goetz" 
Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hi Paul and Christoph,

thank you for the review and the approval.

I've added the blank line.
In addition, I've reviewed the whole change again and found a copy & paste bug 
in my webrev.00:
 SECT283_K1(0x0009, "sect283k1", true,
 NamedGroupSpec.NAMED_GROUP_ECDHE,
 ProtocolVersion.PROTOCOLS_TO_12,
-CurveDB.lookup("sect163k1")),
+CurveDB.lookup("sect283k1")),

This is the version I'm planning to push:
http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.01/

Tests have passed.

Best regards,
Martin


> -Original Message-
> From: Hohensee, Paul 
> Sent: Donnerstag, 8. April 2021 01:01
> To: Langer, Christoph ; Doerr, Martin
> ; jdk-updates-dev  d...@openjdk.java.net>; security-dev 
> Cc: Lindenmaier, Goetz 
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hmm, could have sworn...
>
> Thanks,
> Paul
>
> -Original Message-
> From: "Langer, Christoph" 
> Date: Wednesday, April 7, 2021 at 3:16 PM
> To: "Hohensee, Paul" , "Doerr, Martin"
> , jdk-updates-dev  d...@openjdk.java.net>, security-dev 
> Cc: "Lindenmaier, Goetz" 
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hi Paul,
>
> thanks for the review. The CSR that Martin mentions is the one that Oracle
> has filed for 11.0.12-oracle. so we can simply reuse it.
>
> As for 13, there exists a CSR as well: JDK-8256335
>
> Best regards
> Christoph
>
> > -Original Message-----
> > From: Hohensee, Paul 
> > Sent: Mittwoch, 7. April 2021 23:42
> > To: Doerr, Martin ; jdk-updates-dev  updates-
> > d...@openjdk.java.net>; security-dev 
> > Cc: Lindenmaier, Goetz ; Langer, Christoph
> > 
> > Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > The backport looks fine, except there's a missing blank line after
> FFDHE_2048
> > in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be
> one
> > for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> > security person, so it would be great if someone who is reviews the CSR to
> > see if there are any 11u-specific issues with it.
> >
> > Thanks,
> > Paul
> >
> > -Original Message-
> > From: jdk-updates-dev  on
> > behalf of "Doerr, Martin" 
> > Date: Wednesday, April 7, 2021 at 9:10 AM
> > To: jdk-updates-dev , security-dev
> > 
> > Cc: "Lindenmaier, Goetz" , "Langer,
> > Christoph" 
> > Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hi,
> >
> > JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for 
> > parity.
> > It doesn't apply cleanly. I've taken the 13u backport as source because it
> > resolves the wrong backport order with JDK-8242141.
> >
> > Bug:
> > https://bugs.openjdk.java.net/browse/JDK-8226374
> >
> > 11u CSR:
> > https://bugs.openjdk.java.net/browse/JDK-8264555
> >
> > Original change (JDK14):
> > https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
> >
> > 13u backport:
> > https://github.com/openjdk/jdk13u-dev/commit/384445d2
> >
> > 11u rejected hunks (integrated manually):
> >
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
> >
> > my new 11u backport:
> > http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
> >
> > Please review.
> >
> > Best regards,
> > Martin
> >
>

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

2021-04-08 Thread Doerr, Martin

Hi Paul and Christoph,

thank you for the review and the approval.

I've added the blank line.
In addition, I've reviewed the whole change again and found a copy & paste bug 
in my webrev.00:
 SECT283_K1(0x0009, "sect283k1", true,
 NamedGroupSpec.NAMED_GROUP_ECDHE,
 ProtocolVersion.PROTOCOLS_TO_12,
-CurveDB.lookup("sect163k1")),
+CurveDB.lookup("sect283k1")),

This is the version I'm planning to push:
http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.01/

Tests have passed.

Best regards,
Martin


> -Original Message-
> From: Hohensee, Paul 
> Sent: Donnerstag, 8. April 2021 01:01
> To: Langer, Christoph ; Doerr, Martin
> ; jdk-updates-dev  d...@openjdk.java.net>; security-dev 
> Cc: Lindenmaier, Goetz 
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
> 
> Hmm, could have sworn...
> 
> Thanks,
> Paul
> 
> -Original Message-
> From: "Langer, Christoph" 
> Date: Wednesday, April 7, 2021 at 3:16 PM
> To: "Hohensee, Paul" , "Doerr, Martin"
> , jdk-updates-dev  d...@openjdk.java.net>, security-dev 
> Cc: "Lindenmaier, Goetz" 
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
> 
> Hi Paul,
> 
> thanks for the review. The CSR that Martin mentions is the one that Oracle
> has filed for 11.0.12-oracle. so we can simply reuse it.
> 
> As for 13, there exists a CSR as well: JDK-8256335
> 
> Best regards
> Christoph
> 
> > -Original Message-
> > From: Hohensee, Paul 
> > Sent: Mittwoch, 7. April 2021 23:42
> > To: Doerr, Martin ; jdk-updates-dev  updates-
> > d...@openjdk.java.net>; security-dev 
> > Cc: Lindenmaier, Goetz ; Langer, Christoph
> > 
> > Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > The backport looks fine, except there's a missing blank line after
> FFDHE_2048
> > in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be
> one
> > for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> > security person, so it would be great if someone who is reviews the CSR to
> > see if there are any 11u-specific issues with it.
> >
> > Thanks,
> > Paul
> >
> > -Original Message-
> > From: jdk-updates-dev  on
> > behalf of "Doerr, Martin" 
> > Date: Wednesday, April 7, 2021 at 9:10 AM
> > To: jdk-updates-dev , security-dev
> > 
> > Cc: "Lindenmaier, Goetz" , "Langer,
> > Christoph" 
> > Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hi,
> >
> > JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for 
> > parity.
> > It doesn't apply cleanly. I've taken the 13u backport as source because it
> > resolves the wrong backport order with JDK-8242141.
> >
> > Bug:
> > https://bugs.openjdk.java.net/browse/JDK-8226374
> >
> > 11u CSR:
> > https://bugs.openjdk.java.net/browse/JDK-8264555
> >
> > Original change (JDK14):
> > https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
> >
> > 13u backport:
> > https://github.com/openjdk/jdk13u-dev/commit/384445d2
> >
> > 11u rejected hunks (integrated manually):
> >
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
> >
> > my new 11u backport:
> > http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
> >
> > Please review.
> >
> > Best regards,
> > Martin
> >
>

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

2021-04-07 Thread Hohensee, Paul

Hmm, could have sworn...

Thanks,
Paul

-Original Message-
From: "Langer, Christoph" 
Date: Wednesday, April 7, 2021 at 3:16 PM
To: "Hohensee, Paul" , "Doerr, Martin" 
, jdk-updates-dev , 
security-dev 
Cc: "Lindenmaier, Goetz" 
Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hi Paul,

thanks for the review. The CSR that Martin mentions is the one that Oracle has 
filed for 11.0.12-oracle. so we can simply reuse it.

As for 13, there exists a CSR as well: JDK-8256335

Best regards
Christoph

> -Original Message-
> From: Hohensee, Paul 
> Sent: Mittwoch, 7. April 2021 23:42
> To: Doerr, Martin ; jdk-updates-dev  d...@openjdk.java.net>; security-dev 
> Cc: Lindenmaier, Goetz ; Langer, Christoph
> 
> Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> The backport looks fine, except there's a missing blank line after FFDHE_2048
> in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be one
> for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> security person, so it would be great if someone who is reviews the CSR to
> see if there are any 11u-specific issues with it.
>
> Thanks,
> Paul
>
> -Original Message-
> From: jdk-updates-dev  on
> behalf of "Doerr, Martin" 
> Date: Wednesday, April 7, 2021 at 9:10 AM
> To: jdk-updates-dev , security-dev
> 
> Cc: "Lindenmaier, Goetz" , "Langer,
> Christoph" 
> Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hi,
>
> JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for 
> parity.
> It doesn't apply cleanly. I've taken the 13u backport as source because it
> resolves the wrong backport order with JDK-8242141.
>
> Bug:
> https://bugs.openjdk.java.net/browse/JDK-8226374
>
> 11u CSR:
> https://bugs.openjdk.java.net/browse/JDK-8264555
>
> Original change (JDK14):
> https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
>
> 13u backport:
> https://github.com/openjdk/jdk13u-dev/commit/384445d2
>
> 11u rejected hunks (integrated manually):
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
>
> my new 11u backport:
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
>
> Please review.
>
> Best regards,
> Martin
>

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

2021-04-07 Thread Langer, Christoph

Hi Paul,

thanks for the review. The CSR that Martin mentions is the one that Oracle has 
filed for 11.0.12-oracle. so we can simply reuse it.

As for 13, there exists a CSR as well: JDK-8256335

Best regards
Christoph

> -Original Message-
> From: Hohensee, Paul 
> Sent: Mittwoch, 7. April 2021 23:42
> To: Doerr, Martin ; jdk-updates-dev  d...@openjdk.java.net>; security-dev 
> Cc: Lindenmaier, Goetz ; Langer, Christoph
> 
> Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
> 
> The backport looks fine, except there's a missing blank line after FFDHE_2048
> in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be one
> for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> security person, so it would be great if someone who is reviews the CSR to
> see if there are any 11u-specific issues with it.
> 
> Thanks,
> Paul
> 
> -Original Message-
> From: jdk-updates-dev  on
> behalf of "Doerr, Martin" 
> Date: Wednesday, April 7, 2021 at 9:10 AM
> To: jdk-updates-dev , security-dev
> 
> Cc: "Lindenmaier, Goetz" , "Langer,
> Christoph" 
> Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
> 
> Hi,
> 
> JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for 
> parity.
> It doesn't apply cleanly. I've taken the 13u backport as source because it
> resolves the wrong backport order with JDK-8242141.
> 
> Bug:
> https://bugs.openjdk.java.net/browse/JDK-8226374
> 
> 11u CSR:
> https://bugs.openjdk.java.net/browse/JDK-8264555
> 
> Original change (JDK14):
> https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
> 
> 13u backport:
> https://github.com/openjdk/jdk13u-dev/commit/384445d2
> 
> 11u rejected hunks (integrated manually):
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
> 
> my new 11u backport:
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
> 
> Please review.
> 
> Best regards,
> Martin
>

Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

2021-04-07 Thread Hohensee, Paul

The backport looks fine, except there's a missing blank line after FFDHE_2048 
in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be one 
for the 13u backport: perhaps Yan will add one after the fact). I'm not a 
security person, so it would be great if someone who is reviews the CSR to see 
if there are any 11u-specific issues with it.

Thanks,
Paul

-Original Message-
From: jdk-updates-dev  on behalf of 
"Doerr, Martin" 
Date: Wednesday, April 7, 2021 at 9:10 AM
To: jdk-updates-dev , security-dev 

Cc: "Lindenmaier, Goetz" , "Langer, Christoph" 

Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hi,

JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity.
It doesn't apply cleanly. I've taken the 13u backport as source because it 
resolves the wrong backport order with JDK-8242141.

Bug:
https://bugs.openjdk.java.net/browse/JDK-8226374

11u CSR:
https://bugs.openjdk.java.net/browse/JDK-8264555

Original change (JDK14):
https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644

13u backport:
https://github.com/openjdk/jdk13u-dev/commit/384445d2

11u rejected hunks (integrated manually):
http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt

my new 11u backport:
http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/

Please review.

Best regards,
Martin

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

6 matches

Site Navigation

Mail list logo

Footer information