On Wed, 4 Feb 2026 19:29:02 GMT, Kirill Shirokov <[email protected]> wrote:
> Removed FFDHE_6144 and FFHDE_8192 from the default list of TLS named groups, > so now to consider them as candidates in TLS handshake user has to enable > them explicitly (e.g. `-Djdk.tls.namedGroups=ffdhe6144,ffhde8192`) > > Tested on Linux x64/aarch64, MacOS aarch64, Windows x64 using jtreg > `test/jdk/sun/security/ssl` and `test/jdk/javax/net/ssl`. > > [tests-linux-aarch64.log](https://github.com/user-attachments/files/25080233/tests-linux-aarch64.log) > [tests-linux-x86.log](https://github.com/user-attachments/files/25080235/tests-linux-x86.log) > [tests-macos-aarch64.log](https://github.com/user-attachments/files/25080236/tests-macos-aarch64.log) > [tests-windows-x64.log](https://github.com/user-attachments/files/25080237/tests-windows-x64.log) Compatibility risks is the reason to keep it. On Wed, Feb 4, 2026 at 1:36 PM Sean Mullan ***@***.***> wrote: > *seanjmullan* left a comment (openjdk/jdk#29577) > <https://github.com/openjdk/jdk/pull/29577#issuecomment-3849863157> > > any bad to keep them? I did not get the idea to take the compatibility > risks. > > Why are they needed by default? AFAIK nobody ever uses them and other > groups will always be negotiated before them since they are at the end of > the list. No other TLS impl that we know of includes these groups by > default. > > — > Reply to this email directly, view it on GitHub > <https://github.com/openjdk/jdk/pull/29577#issuecomment-3849863157>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AQSB3EFEPP6G7YPENUNFJBT4KJQ5LAVCNFSM6AAAAACT73MYXCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTQNBZHA3DGMJVG4> > . > You are receiving this because you commented.Message ID: > ***@***.***> > ------------- PR Comment: https://git.openjdk.org/jdk/pull/29577#issuecomment-3850149351
