----- Original Message ----- > > But I think someone from the security team should chime in on this. > > I plan to look closer at this. On the surface, it looks acceptable > to > me, but I've been heads down in the SNI code: likely for one more > day. > Wanted to also run this by one of my other colleagues. > > One thought: I'm wondering if we might want to have this switch in > both > Open and Closed. As long as default is off, I don't immediately see > a > reason to not have it. >
I've no problem with that. I just placed it within the OPENJDK ifdef so it won't interfere with the proprietary build at all, as obviously I can't test it ;-) But, either way, if it's not set, there's no change in behaviour. > Brad > > > > On 9/19/2012 7:34 PM, Kelly O'Hair wrote: > > It seems fine with me. > > But I think someone from the security team should chime in on this. > > > > -kto > > > > On Sep 18, 2012, at 7:39 AM, Andrew Hughes wrote: > > > >> This is an issue that has been with us for a while. See: > >> > >> https://bugs.openjdk.java.net/show_bug.cgi?id=100062 > >> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7188845 > >> > >> for some background. > >> > >> The original proposed patch goes to far in removing most of the > >> infrastructure for restricting crypto levels and signing of crypto > >> jars. > >> > >> The following simple webrev will achieve what I think is needed: > >> > >> http://cr.openjdk.java.net/~andrew/100062/webrev.01/ > >> > >> allowing OpenJDK to be built with the unlimited rather than > >> limited > >> crypto policy in place. > >> > >> The build is only altered if both an OpenJDK build is being > >> performed > >> and UNLIMITED_CRYPTO is defined. In this case, the > >> install-unlimited > >> rule is used to install policies. Without UNLIMITED_CRYPTO being > >> set, > >> OpenJDK builds still depend on install-limited as now. > >> > >> I believe this is a fairly unintrusive change which should allow > >> GNU/Linux > >> distros to ship without crypto restrictions while still using > >> upstream > >> OpenJDK rather than a variant with several classes removed. > >> > >> It's not clear to me why this approach wasn't taken before, so I > >> hope I haven't > >> missed something. > >> > >> If this looks ok, I'll push it as the resolution for bug 7188845. > >> -- > >> Andrew :) > >> > >> Free Java Software Engineer > >> Red Hat, Inc. (http://www.redhat.com) > >> > >> PGP Key: 248BDC07 (https://keys.indymedia.org/) > >> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07 > >> > > > -- Andrew :) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) PGP Key: 248BDC07 (https://keys.indymedia.org/) Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
