-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8279164: Disable TLS_ECDH_* cipher suites #519
Conversation
👋 Welcome back zzambers! A progress list of the required criteria for merging this PR into |
@zzambers This change now passes all automated pre-integration checks. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 4 new commits pushed to the
Please see this link for an up-to-date comparison between the source branch of this pull request and the ➡️ To integrate this PR with the above commit message to the |
This backport pull request has now been updated with issue from the original commit. |
At least one of the issues associated with this backport has a resolved CSR for a different version. As this means that this backport may also need a CSR, the |
Webrevs
|
CSR is here: https://bugs.openjdk.org/browse/JDK-8332812 |
@zzambers Could you please try a new PR title? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Only a few nit-picks.
I think it would be good for @martinuy and/or @franferrax to look this one over as well. |
I've created an openjdk8u432 backport linking to this. Let's see if that appeases Skara. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with @jerboaa about the ECDH
addition. It should match the trunk patch, ugly as it is.
Otherwise, this looks good. I think, by using trunk, you've also avoided an error which seems to have been introduced in the 11u & 17u backports. They both wrongly add elements of JDK-8163327. I'm going to file an issue to fix this in 11 & 17.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ECDH change still needs to be made.
I have tried to update the title |
This backport pull request has now been updated with issue from the original commit. |
Is there anything more which should be done by me in relation to csr? Or that one should be done automatically, but somehow it does not work? |
Give the bot a few more minutes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
Note: I was a bit puzzled to see "SSL_RSA_WITH_3DES_EDE_CBC_SHA" in the 11u-dev patch as 8163327 has not been backported to 11u. Looks like the JDK main line patch was extending the |
Yes, I noted that above and on the 17u backport: openjdk/jdk17u-dev#2559 (comment) I'll open a bug to fix 11u & 17u. It looks like 8u avoided the issue by starting from the trunk patch. |
/csr unneeded. Adding this in order to move this PR forward. We have a CSR that is approved and we'll link it manually (if need be) once pushed. |
Filed this skara issue for the CSR trouble: https://bugs.openjdk.org/browse/SKARA-2297 |
Yy, I did backport directly from openjdk/jdk. (I did not wait to 17u/11u, as backport would not be clean anyway.) |
thanks |
I've added |
|
Good, It worked :) /approval request Disables TLS_ECDH_* cipher suites, not clean, testing: OK (GHA, jdk_security) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. I'll let @gnu-andrew have a look as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated version looks good.
We had to do this on the last issue with a CSR too: #392 (comment) |
/approve yes |
@gnu-andrew |
thanks /integrate |
Going to push as commit b1e2ea8.
Your commit was automatically rebased without conflicts. |
Backport disables
TLS_ECDH_*
cipher suites.Not clean. Differences:
java.security
file on 8u (one per system), because it does not have JDK-6997010 (Consolidate java.security files into one file with modifications)test/jdk/javax/net/ssl/DTLS/CipherSuite.java
is excluded, as there is no equivalent test on 8u, support for DTLS was only added in 9 by JDK-8043758 (JEP 219: Datagram Transport Layer Security (DTLS))Testing:
tier1: OK (only known CAInterop failures)
jdk_security: OK (tested with modified GHA on top, modified security tests (by backport) passed, no regressions to master)
Progress
Issues
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk8u-dev.git pull/519/head:pull/519
$ git checkout pull/519
Update a local copy of the PR:
$ git checkout pull/519
$ git pull https://git.openjdk.org/jdk8u-dev.git pull/519/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 519
View PR using the GUI difftool:
$ git pr show -t 519
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk8u-dev/pull/519.diff
Webrev
Link to Webrev Comment