Re: RFR: 8373426: Remove ffdhe6144 and ffdhe8192 from default list of TLS named groups

Wed, 04 Feb 2026 15:04:30 -0800 

On Wed, 4 Feb 2026 19:29:02 GMT, Kirill Shirokov <[email protected]> wrote:

> Removed FFDHE_6144 and FFHDE_8192 from the default list of TLS named groups, 
> so now to consider them as candidates in TLS handshake user has to enable 
> them explicitly (e.g. `-Djdk.tls.namedGroups=ffdhe6144,ffhde8192`)
> 
> Tested on Linux x64/aarch64, MacOS aarch64, Windows x64 using jtreg 
> `test/jdk/sun/security/ssl` and `test/jdk/javax/net/ssl`.
> 
> [tests-linux-aarch64.log](https://github.com/user-attachments/files/25080233/tests-linux-aarch64.log)
> [tests-linux-x86.log](https://github.com/user-attachments/files/25080235/tests-linux-x86.log)
> [tests-macos-aarch64.log](https://github.com/user-attachments/files/25080236/tests-macos-aarch64.log)
> [tests-windows-x64.log](https://github.com/user-attachments/files/25080237/tests-windows-x64.log)

Vendor default is different from application uses.  Once there is an
application depends on the behavior, there is compatibility risks.  Why
take the risks?  There should be a good reason as it has potential
compatibility risks.

On Wed, Feb 4, 2026 at 2:55 PM Xuelei Fan ***@***.***> wrote:

> Compatibility risks is the reason to keep it.
>
> On Wed, Feb 4, 2026 at 1:36 PM Sean Mullan ***@***.***>
> wrote:
>
>> *seanjmullan* left a comment (openjdk/jdk#29577)
>> <https://github.com/openjdk/jdk/pull/29577#issuecomment-3849863157>
>>
>> any bad to keep them? I did not get the idea to take the compatibility
>> risks.
>>
>> Why are they needed by default? AFAIK nobody ever uses them and other
>> groups will always be negotiated before them since they are at the end of
>> the list. No other TLS impl that we know of includes these groups by
>> default.
>>
>> —
>> Reply to this email directly, view it on GitHub
>> <https://github.com/openjdk/jdk/pull/29577#issuecomment-3849863157>, or
>> unsubscribe
>> <https://github.com/notifications/unsubscribe-auth/AQSB3EFEPP6G7YPENUNFJBT4KJQ5LAVCNFSM6AAAAACT73MYXCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTQNBZHA3DGMJVG4>
>> .
>> You are receiving this because you commented.Message ID:
>> ***@***.***>
>>
>

-------------

PR Comment: https://git.openjdk.org/jdk/pull/29577#issuecomment-3850160422

Reply via email to