On 1/28/19 2:25 PM, Jamil Nimeh wrote:
The change looks straightforward to me. One thing in the test code: if
this were to ever be backported to 11 the ChaCha20-Poly1305 suites need
to be removed from the ENABLED_UNLIMITED array.
Yes.
But is fine for jdk/jdk
and jdk12.
Great, thanks for the review.
--Sean
--Jamil
On 1/28/2019 10:26 AM, Sean Mullan wrote:
This fixes a regression introduced by the recent change to disable the
TLS NULL cipher suites [1]. This accidentally also disabled the
TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite because when the name
is decomposed by the algorithm constraints checking code it has NULL
for its different parts (key exchange, etc). But this cipher suite is
not negotiable and is only used for renegotiation purposes as defined
in RFC
5746. It should not have been disabled.
I also resurrected the CheckCipherSuites test which had an @ignore
label on it. This is a good test because it checks what the expected
enabled/supported suites should be, and will help catch issues like
this in the future.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8217579/webrev.00/
bug: https://bugs.openjdk.java.net/browse/JDK-8217579
Thanks,
Sean
[1] https://bugs.openjdk.java.net/browse/JDK-8211883
