On Mon, 24 Nov 2025 07:51:40 GMT, Hai-May Chao <[email protected]> wrote:
>> Implement hybrid key exchange support for TLS 1.3 by adding three >> post-quantum hybrid named groups: X25519MLKEM768, SecP256r1MLKEM768, and >> SecP384r1MLKEM1024. >> Please see [JEP 527](https://openjdk.org/jeps/527) for details about this >> change. > > Hai-May Chao has updated the pull request incrementally with three additional > commits since the last revision: > > - Update names to uppercase > - Remove fallback in engineGeneratePublic > - Change default named group list to have only X25519MLKEM768 test/jdk/sun/security/pkcs11/tls/fips/FipsModeTLS.java line 38: > 36: * @comment SunPKCS11 does not support (TLS1.2) > SunTlsExtendedMasterSecret yet. > 37: * Stateless resumption doesn't currently work with NSS-FIPS, see > JDK-8368669 > 38: * @run main/othervm/timeout=120 -Djdk.tls.client.protocols=TLSv1.3 > -Djdk.tls.namedGroups=x25519,secp256r1,secp384r1,secp521r1,x448,ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192 > FipsModeTLS Long line, break up into more than one line. Also instead of setting the system property, suggest using the `SSLParameters.getNamedGroups()` API to read the default list of named groups, remove X25519MLKEM768 and then set the list back. This way if the other defaults change in the future (like removing some of the ffdhe groups) the code will still be ok and reflect the default list. It looks like the code already does that for other groups in `createSSLEngine`. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27614#discussion_r2561324376
