[11u] RFR: 8206925: Support the certificate_authorities extension

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[11u] RFR: 8206925: Support the certificate_authorities extension

Doerr, Martin

Hi,

 

JDK-8206925 was backported to 11.0.10-oracle, but it’s still missing in the Open Source version.

I'd like to backport it for parity.

It does apply cleanly, but I had to modify it, because the following change is not in 11u:

https://bugs.openjdk.java.net/browse/JDK-8215712

 

Bug:

https://bugs.openjdk.java.net/browse/JDK-8206925

 

Original change:

https://hg.openjdk.java.net/jdk/jdk/rev/827bac238aa0

 

11u backport:

http://cr.openjdk.java.net/~mdoerr/8206925_ca_ext_11u/webrev.00/

 

Manual change to make it work without JDK-8215712 (SSLStringizer and derived classes don’t take a HandshakeContext in 11u):

http://cr.openjdk.java.net/~mdoerr/8206925_ca_ext_11u/8206925_ca_ext_diff.txt

 

Please review.

 

Best regards,

Martin

 

Reply | Threaded
Open this post in threaded view
|

RE: [11u] RFR: 8206925: Support the certificate_authorities extension

Langer, Christoph

Hi Martin,

 

your backport looks good. I see the new tests pass and our testing does not unveil other regressions. Reviewed.

 

Oracle has already included this item in 11.0.10 but it fell through the cracks for OpenJDK 11u due to an issue with the updates filter. However, it seems like an important item for TLS 1.3 usability. We have just received a customer request why this wasn’t included in 11u yet, they would need it for their product to move on to TLS 1.3. So I think we should strive for 11.0.11 with this backport. Please label accordingly. Adding [hidden email] and [hidden email] for their opinion on this decision 😊

 

The CSR https://bugs.openjdk.java.net/browse/JDK-8248709 should apply to this backport, please link it to the JBS issue.

 

Thanks & Best regards

Christoph

 

From: Doerr, Martin <[hidden email]>
Sent: Dienstag, 23. März 2021 16:25
To: [hidden email]; security-dev <[hidden email]>
Cc: Lindenmaier, Goetz <[hidden email]>; Langer, Christoph <[hidden email]>
Subject: [11u] RFR: 8206925: Support the certificate_authorities extension

 

Hi,

 

JDK-8206925 was backported to 11.0.10-oracle, but it’s still missing in the Open Source version.

I'd like to backport it for parity.

It does apply cleanly, but I had to modify it, because the following change is not in 11u:

https://bugs.openjdk.java.net/browse/JDK-8215712

 

Bug:

https://bugs.openjdk.java.net/browse/JDK-8206925

 

Original change:

https://hg.openjdk.java.net/jdk/jdk/rev/827bac238aa0

 

11u backport:

http://cr.openjdk.java.net/~mdoerr/8206925_ca_ext_11u/webrev.00/

 

Manual change to make it work without JDK-8215712 (SSLStringizer and derived classes don’t take a HandshakeContext in 11u):

http://cr.openjdk.java.net/~mdoerr/8206925_ca_ext_11u/8206925_ca_ext_diff.txt

 

Please review.

 

Best regards,

Martin

 

Reply | Threaded
Open this post in threaded view
|

RE: [11u] RFR: 8206925: Support the certificate_authorities extension

Doerr, Martin

Hi Christoph,

 

thank you for the review and checking the tests!

 

I agree. We should try to deliver it with 11.0.11 if possible.

I’ve added the CSR to my backport comment and labeled the issue with jdk11u-critical-request.

 

Best regards,

Martin

 

 

From: Langer, Christoph <[hidden email]>
Sent: Mittwoch, 24. März 2021 15:48
To: Doerr, Martin <[hidden email]>; [hidden email]; security-dev <[hidden email]>; Severin Gehwolf <[hidden email]>; Andrew Haley <[hidden email]>
Cc: Lindenmaier, Goetz <[hidden email]>
Subject: RE: [11u] RFR: 8206925: Support the certificate_authorities extension

 

Hi Martin,

 

your backport looks good. I see the new tests pass and our testing does not unveil other regressions. Reviewed.

 

Oracle has already included this item in 11.0.10 but it fell through the cracks for OpenJDK 11u due to an issue with the updates filter. However, it seems like an important item for TLS 1.3 usability. We have just received a customer request why this wasn’t included in 11u yet, they would need it for their product to move on to TLS 1.3. So I think we should strive for 11.0.11 with this backport. Please label accordingly. Adding [hidden email] and [hidden email] for their opinion on this decision 😊

 

The CSR https://bugs.openjdk.java.net/browse/JDK-8248709 should apply to this backport, please link it to the JBS issue.

 

Thanks & Best regards

Christoph

 

From: Doerr, Martin <[hidden email]>
Sent: Dienstag, 23. März 2021 16:25
To: [hidden email]; security-dev <[hidden email]>
Cc: Lindenmaier, Goetz <[hidden email]>; Langer, Christoph <[hidden email]>
Subject: [11u] RFR: 8206925: Support the certificate_authorities extension

 

Hi,

 

JDK-8206925 was backported to 11.0.10-oracle, but it’s still missing in the Open Source version.

I'd like to backport it for parity.

It does apply cleanly, but I had to modify it, because the following change is not in 11u:

https://bugs.openjdk.java.net/browse/JDK-8215712

 

Bug:

https://bugs.openjdk.java.net/browse/JDK-8206925

 

Original change:

https://hg.openjdk.java.net/jdk/jdk/rev/827bac238aa0

 

11u backport:

http://cr.openjdk.java.net/~mdoerr/8206925_ca_ext_11u/webrev.00/

 

Manual change to make it work without JDK-8215712 (SSLStringizer and derived classes don’t take a HandshakeContext in 11u):

http://cr.openjdk.java.net/~mdoerr/8206925_ca_ext_11u/8206925_ca_ext_diff.txt

 

Please review.

 

Best regards,

Martin