8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR

[sercher]

Hello,

I would like to create a backport of 8233228 in 13u. The backport is already in production in 11u.

The proposed 8233228 patch is exactly the same as 15u version, except for Hunk #9 at line 258(299):

edec2fc#diff-499d805909084ecc06c50b4706f8a2b3ec70ab9aaf55d54a6156c518f85f1bd6

in which the 8244479 is already applied. In comparison, the 15u version applies 8244479 on top of 8233228, so the changes are in reverse order. Otherwise there are no code / logic changes in the code.

Thank you.

Best regards,
Sergey Chernyshev
BellSoft

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR ⚠️ Issue is not open.

Reviewers

• Yuri Nesterenko (@yan-too - Reviewer)

Download

$ git fetch https://git.openjdk.java.net/jdk13u-dev pull/32/head:pull/32
$ git checkout pull/32

[bridgekeeper]

Hi @sercher, welcome to this OpenJDK project and thanks for contributing!

We do not recognize you as Contributor and need to ensure you have signed the Oracle Contributor Agreement (OCA). If you have not signed the OCA, please follow the instructions. Please fill in your GitHub username in the "Username" field of the application. Once you have signed the OCA, please let us know by writing /signed in a comment in this pull request.

If you already are an OpenJDK Author, Committer or Reviewer, please click here to open a new issue so that we can record that fact. Please use "Add GitHub user sercher" as summary for the issue.

If you are contributing this work on behalf of your employer and your employer has signed the OCA, please let us know by writing /covered in a comment in this pull request.

[sercher]

/signed

[bridgekeeper]

Thank you! Please allow for up to two weeks to process your OCA, although it is usually done within one to two business days. Also, please note that pull requests that are pending an OCA check will not usually be evaluated, so your patience is appreciated!

[sercher]

/covered

[bridgekeeper]

Thank you! Please allow for a few business days to verify that your employer has signed the OCA. Also, please note that pull requests that are pending an OCA check will not usually be evaluated, so your patience is appreciated!

[alexeybakhtin]

I'm not a reviewer but Looks Good To Me

[yan-too]

Sergey, please take a look at the comment in JBS issue regarding the CSR.

[mlbridge]

Webrevs

• 00: Full (edec2fc)

[openjdk]

⚠️ @sercher the full name on your profile does not match the author name in this pull requests' HEAD commit. If this pull request gets integrated then the author name from this pull requests' HEAD commit will be used for the resulting commit. If you wish to push a new commit with a different author name, then please run the following commands in a local repository of your personal fork:

$ git checkout backport-8233228
$ git commit -c user.name='Preferred Full Name' --allow-empty -m 'Update full name'
$ git push

[openjdk]

@sercher This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR

Reviewed-by: yan

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 14 new commits pushed to the master branch:

• 420ec53: 8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?"
• 74991c9: 8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose
• dabaf4e: 8235183: Remove the "HACK CODE" in comment
• e91e43b: 8236617: jtreg test containers/docker/TestMemoryAwareness.java fails after 8226575
• c6f81a5: 8223940: Private key not supported by chosen signature algorithm
• 80be64a: 8249183: JVM crash in "AwtFrame::WmSize" method
• 5af784b: 8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
• 89354b8: 8226575: OperatingSystemMXBean should be made container aware
• 92da5d8: 8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions
• 91b19c9: 8230767: FlightRecorderListener returns null recording
• ... and 4 more: https://git.openjdk.java.net/jdk13u-dev/compare/538464bfed56bbf3d7a039fce3cf29cf71724860...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@yan-too) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[sercher]

/integrate

[openjdk]

@sercher
Your change (at version edec2fc) is now ready to be sponsored by a Committer.

[AlexanderScherbatiy]

/sponsor

[openjdk]

@AlexanderScherbatiy @sercher Since your change was applied there have been 14 commits pushed to the master branch:

• 420ec53: 8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?"
• 74991c9: 8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose
• dabaf4e: 8235183: Remove the "HACK CODE" in comment
• e91e43b: 8236617: jtreg test containers/docker/TestMemoryAwareness.java fails after 8226575
• c6f81a5: 8223940: Private key not supported by chosen signature algorithm
• 80be64a: 8249183: JVM crash in "AwtFrame::WmSize" method
• 5af784b: 8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
• 89354b8: 8226575: OperatingSystemMXBean should be made container aware
• 92da5d8: 8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions
• 91b19c9: 8230767: FlightRecorderListener returns null recording
• ... and 4 more: https://git.openjdk.java.net/jdk13u-dev/compare/538464bfed56bbf3d7a039fce3cf29cf71724860...master

Your commit was automatically rebased without conflicts.

Pushed as commit b452c82.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.