On Fri, 26 Jun 2026 12:49:20 GMT, Andreas Chmielewski 
<[email protected]> wrote:

> > > How can we make sure this doesn't happen again when new cipher suites are 
> > > added?
> > 
> > 
> > Good point, Daniel!
> > @chmielewskiandreas How about we add an instructional comment at 
> > `SSLCipher.java:66`: "Make sure to update SSLAlgorithmDecomposer when 
> > adding/removing ciphers below"?
> 
> I think adding a comment would help, but it’s still easy to miss when adding 
> new cipher suites.
> 
> An alternative approach would be to enforce this at test level. We could 
> derive the set of TLS cipher suites dynamically, extract their bulk cipher 
> components, and verify that jdk.tls.disabledAlgorithms correctly disables 
> them.
> 
> This way, if new cipher suites are added, the test will automatically cover 
> them and fail if the bulk cipher decomposition is not updated accordingly.
> 
> I am experimenting with this approach now by iterating over the available 
> cipher suites and deriving the bulk cipher from their names. The main 
> challenge is correctly handling different naming formats, but once that is 
> done, the test becomes self‑maintaining. What do you think?

I think it's a much better approach than just adding a comment, thanks for 
doing it!

-------------

PR Comment: https://git.openjdk.org/jdk/pull/31633#issuecomment-4809779423

Reply via email to