Re: RFR: 8370885: Default namedGroups values are not being filtered against algorithm constraints [v4]

Thu, 15 Jan 2026 02:28:48 -0800 

On Fri, 2 Jan 2026 15:02:31 GMT, Artur Barashev <[email protected]> wrote:

>> NamedGroup.SupportedGroups.namedGroups values are not being filtered against 
>> algorithm constraints, unlike other SSLParameters returned by 
>> SSLConfiguration#getSSLParameters() call. Those are the values being 
>> displayed to the user with "java -XshowSettings:security:tls" command.
>> 
>> Also making changes to avoid needless default group names lookup while we 
>> are touching this file.
>
> Artur Barashev has updated the pull request with a new target base due to a 
> merge or a rebase. The pull request now contains five commits:
> 
>  - Merge branch 'master' into JDK-8370885
>    
>    # Conflicts:
>    #  src/java.base/share/classes/sun/security/ssl/NamedGroup.java
>  - Update copyright year
>  - Merge branch 'master' into JDK-8370885
>  - Merge branch 'master' into JDK-8370885
>    
>    # Conflicts:
>    #  src/java.base/share/classes/sun/security/ssl/NamedGroup.java
>  - 8370885: Default namedGroups values are not being filtered against 
> algorithm constraints

src/java.base/share/classes/sun/security/ssl/NamedGroup.java line 780:

> 778:                 customizedGroups == null ?
> 779:                         null : Arrays.stream(customizedGroups)
> 780:                         .map(ng -> ng.name)

The filtering against algorithm constraints is not being done for 
customizedNames. Is it to preserve user’s selection and let constraints to be 
applied during handshake as before? It is different from defaultNames’s. 
Suggest to add some comments for it.

src/java.base/share/classes/sun/security/ssl/NamedGroup.java line 799:

> 797:         // Avoid the group lookup for default and customized groups.
> 798:         static NamedGroup[] getGroupsFromConfig(SSLConfiguration 
> sslConfig) {
> 799:             if (sslConfig.namedGroups == defaultNames) {

Nit: getGroupsFromConfig() can choose from pre-initialized defaultGroups, 
customizedGroups, or sslConfig.namedGroups. Its name sounds like it reads 
something directly from SSLConfiguration.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/28397#discussion_r2693798265
PR Review Comment: https://git.openjdk.org/jdk/pull/28397#discussion_r2693809343

Reply via email to