Hi Martin, your backport looks good. I see the new tests pass and our testing does not unveil other regressions. Reviewed.
Oracle has already included this item in 11.0.10 but it fell through the cracks for OpenJDK 11u due to an issue with the updates filter. However, it seems like an important item for TLS 1.3 usability. We have just received a customer request why this wasn’t included in 11u yet, they would need it for their product to move on to TLS 1.3. So I think we should strive for 11.0.11 with this backport. Please label accordingly. Adding @Andrew Haley<mailto:a...@redhat.com> and @Severin Gehwolf<mailto:sgehw...@redhat.com> for their opinion on this decision 😊 The CSR https://bugs.openjdk.java.net/browse/JDK-8248709 should apply to this backport, please link it to the JBS issue. Thanks & Best regards Christoph From: Doerr, Martin <martin.do...@sap.com> Sent: Dienstag, 23. März 2021 16:25 To: jdk-updates-...@openjdk.java.net; security-dev <security-dev@openjdk.java.net> Cc: Lindenmaier, Goetz <goetz.lindenma...@sap.com>; Langer, Christoph <christoph.lan...@sap.com> Subject: [11u] RFR: 8206925: Support the certificate_authorities extension Hi, JDK-8206925 was backported to 11.0.10-oracle, but it’s still missing in the Open Source version. I'd like to backport it for parity. It does apply cleanly, but I had to modify it, because the following change is not in 11u: https://bugs.openjdk.java.net/browse/JDK-8215712 Bug: https://bugs.openjdk.java.net/browse/JDK-8206925 Original change: https://hg.openjdk.java.net/jdk/jdk/rev/827bac238aa0 11u backport: http://cr.openjdk.java.net/~mdoerr/8206925_ca_ext_11u/webrev.00/ Manual change to make it work without JDK-8215712 (SSLStringizer and derived classes don’t take a HandshakeContext in 11u): http://cr.openjdk.java.net/~mdoerr/8206925_ca_ext_11u/8206925_ca_ext_diff.txt Please review. Best regards, Martin