On Thu, 5 Feb 2026 18:28:52 GMT, Sean Mullan <[email protected]> wrote:
>>> other groups will always be negotiated before them since they are at the >>> end of the list. >> >> I don't think we can come to this conclusion. Per TLS specification, at the >> end of the list, does not mean it will not be used. That's the reason why >> the specification is defined so. Otherwise, just one entry is fine. > >> > other groups will always be negotiated before them since they are at the >> > end of the list. >> >> I don't think we can come to this conclusion. Per TLS specification, at the >> end of the list, does not mean it will not be used. That's the reason why >> the specification is defined so. Otherwise, just one entry is fine. > > These extremely large groups should really be opt-in as they are almost never > used in practice and require additional resources to process, so the server > should opt-in. I have found no evidence of them being used anywhere - do you > have any references? In general, DHE groups and cipher suites are becoming > legacy and I expect the JDK to eventually deprecate more of them as we move > forward in the next few years. > > The CSR's purpose is to document compatibility risk. > @seanjmullan, could you please approve this PR since the CSR has been > approved? Let me pull your fix first and run it through our CI to make sure everything passes. ------------- PR Comment: https://git.openjdk.org/jdk/pull/29577#issuecomment-4510483956
