On Fri, 26 Jun 2026 12:34:57 GMT, Artur Barashev <[email protected]> wrote:

> > How can we make sure this doesn't happen again when new cipher suites are 
> > added?
> 
> Good point, Daniel!
> 
> @chmielewskiandreas How about we add an instructional comment at 
> `SSLCipher.java:66`: "Make sure to update SSLAlgorithmDecomposer when 
> adding/removing ciphers below"?

I think adding a comment would help, but it’s still easy to miss when adding 
new cipher suites.

An alternative approach would be to enforce this at test level. We could derive 
the set of TLS cipher suites dynamically, extract their bulk cipher components, 
and verify that jdk.tls.disabledAlgorithms correctly disables them.

This way, if new cipher suites are added, the test will automatically cover 
them and fail if the bulk cipher decomposition is not updated accordingly.

I am experimenting with this approach now by iterating over the available 
cipher suites and deriving the bulk cipher from their names. The main challenge 
is correctly handling different naming formats, but once that is done, the test 
becomes self‑maintaining. What do you think?

-------------

PR Comment: https://git.openjdk.org/jdk/pull/31633#issuecomment-4809716505

Reply via email to