The backport looks fine, except there's a missing blank line after FFDHE_2048 in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be one for the 13u backport: perhaps Yan will add one after the fact). I'm not a security person, so it would be great if someone who is reviews the CSR to see if there are any 11u-specific issues with it.
Thanks, Paul -----Original Message----- From: jdk-updates-dev <jdk-updates-dev-r...@openjdk.java.net> on behalf of "Doerr, Martin" <martin.do...@sap.com> Date: Wednesday, April 7, 2021 at 9:10 AM To: jdk-updates-dev <jdk-updates-...@openjdk.java.net>, security-dev <security-dev@openjdk.java.net> Cc: "Lindenmaier, Goetz" <goetz.lindenma...@sap.com>, "Langer, Christoph" <christoph.lan...@sap.com> Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups Hi, JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity. It doesn't apply cleanly. I've taken the 13u backport as source because it resolves the wrong backport order with JDK-8242141. Bug: https://bugs.openjdk.java.net/browse/JDK-8226374 11u CSR: https://bugs.openjdk.java.net/browse/JDK-8264555 Original change (JDK14): https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644 13u backport: https://github.com/openjdk/jdk13u-dev/commit/384445d2 11u rejected hunks (integrated manually): http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt my new 11u backport: http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/ Please review. Best regards, Martin
