Yes, you are right. I know the providers have their preference and we are installing Corretto as the first one.
So if a service is not there it will just search where it is next. I completely forgot this aspect of it ... Folks from Corretto forgot to mention this behavior as well, interesting. It is not as we are going to use this _as the only provider_. In that case I think we can set it as default. We just need to be cautious to not use e.g Cipher.getInstance("algorithm", "provider") - provider being "AmazonCorrettoCryptoProvider" or anything like that. In other words, as long as we are not specifying a concrete provider to get an instance from, we should be safe. I looked over the codebase and we are not using it anywhere. ________________________________________ From: J. D. Jordan <jeremiah.jor...@gmail.com> Sent: Wednesday, July 26, 2023 14:32 To: dev@cassandra.apache.org Subject: Re: [DISCUSS] Using ACCP or tc-native by default NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe. I thought the crypto providers were supposed to “ask the next one down the line” if something is not supported? Have you tried some unsupported thing and seen it break? My understanding of the providers being an ordered list was that isn’t supposed to happen. -Jeremiah On Jul 26, 2023, at 3:23 AM, Mick Semb Wever <m...@apache.org> wrote: That means that if somebody is on 4.0 and they upgrade to 5.0, if they use some ciphers / protocols / algorithms which are not in Corretto, it might break their upgrade. If there's any risk of breaking upgrades we have to go with (2). We support a variation of JCE configurations, and I don't see we have the test coverage in place to de-risk it other than going with (2). Once the yaml configuration is in place we can then change the default in the next major version 6.0.