Details
-
Bug
-
Resolution: Fixed
-
P4
-
11, 12, 13
-
b23
-
generic
-
generic
Backports
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8225827 | 14 | Martin Balao Alonso | P4 | Resolved | Fixed | team |
JDK-8239412 | 11.0.8-oracle | Martin Balao Alonso | P4 | Resolved | Fixed | b01 |
JDK-8228595 | 11.0.5 | Martin Balao Alonso | P4 | Resolved | Fixed | b01 |
JDK-8256915 | openjdk8u272 | Martin Balao Alonso | P4 | Closed | Fixed | b06 |
JDK-8243699 | 8u261 | Prasadarao Koppula | P4 | Resolved | Fixed | b05 |
JDK-8247032 | emb-8u261 | Prasadarao Koppula | P4 | Resolved | Fixed | team |
Description
There is an explicit assumption that SunJCE will always be available, when deciding if a ciphersuite is enabled: http://hg.openjdk.java.net/jdk/jdk/file/4f2fd02922b1/src/java.base/share/classes/sun/security/ssl/SSLCipher.java#l492
In the context of fixing this bug, we should review that assumption and check whether or not the ciphersuite should be offered in run time.
To reproduce this bug, we can apply the attached patch to FipsModeTLS12 test. The TLS client will offer TLS_RSA_WITH_AES_128_GCM_SHA256 ciphersuite while AES/GCM/NoPadding transformation is not available in SunPKCS11 provider. Verified in JDK revision df2b3565f343.
Attachments
Issue Links
- backported by
-
JDK-8225827 Unsupported ciphersuites may be offered by a TLS client
- Resolved
-
JDK-8228595 Unsupported ciphersuites may be offered by a TLS client
- Resolved
-
JDK-8239412 Unsupported ciphersuites may be offered by a TLS client
- Resolved
-
JDK-8243699 Unsupported ciphersuites may be offered by a TLS client
- Resolved
-
JDK-8247032 Unsupported ciphersuites may be offered by a TLS client
- Resolved
-
JDK-8256915 Unsupported ciphersuites may be offered by a TLS client
- Closed
- relates to
-
JDK-8224954 Test failures with NoSuchAlgorithmException: Unsupported mode GCM after JDK-8223482
- Closed
-
JDK-8225739 sun/security/pkcs11/tls/tls12/FipsModeTLS12.java is not reliable
- Open
-
JDK-8222937 Cannot establish TLS connections in FIPS mode
- Open