On Mon, 29 Jun 2026 19:20:19 GMT, Artur Barashev <[email protected]> wrote:
>> That’s a good point, thanks! >> >> My test consists of two sub-tests (testCipherSuiteVisibility and >> testHandshake). After clearing jdk.tls.disabledAlgorithms (to cover all >> possible cipher suites), iterating over getSupportedCipherSuites() works >> fine for testCipherSuiteVisibility, since the goal is to verify which suites >> are filtered out by the security property. >> >> However, for testHandshake this approach leads to failures for some >> supported cipher suites that are not actually handshakeable (e.g., >> Unsupported signature algorithm: DSA for DHE_DSS suites, or anonymous cipher >> suites which are not enabled by default). These failures are unrelated to >> the behavior under test. >> >> Therefore, for the handshake test it seems necessary to restrict the set to >> suites that are both enabled by default and handshakeable (e.g., using >> getEnabledCipherSuites() a), while still using the full supported set for >> the visibility checks. >> >> @artur-oracle What do you think? > > Of course, for the handshake we can use the default > `jdk.tls.disabledAlgorithms` security property. We just want to make sure we > decompose bulk ciphers for all cipher suites. done ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/31633#discussion_r3500506410
