On Fri, 26 Jun 2026 12:49:20 GMT, Andreas Chmielewski <[email protected]> wrote:
> > > How can we make sure this doesn't happen again when new cipher suites are > > > added? > > > > > > Good point, Daniel! > > @chmielewskiandreas How about we add an instructional comment at > > `SSLCipher.java:66`: "Make sure to update SSLAlgorithmDecomposer when > > adding/removing ciphers below"? > > I think adding a comment would help, but it’s still easy to miss when adding > new cipher suites. > > An alternative approach would be to enforce this at test level. We could > derive the set of TLS cipher suites dynamically, extract their bulk cipher > components, and verify that jdk.tls.disabledAlgorithms correctly disables > them. > > This way, if new cipher suites are added, the test will automatically cover > them and fail if the bulk cipher decomposition is not updated accordingly. > > I am experimenting with this approach now by iterating over the available > cipher suites and deriving the bulk cipher from their names. The main > challenge is correctly handling different naming formats, but once that is > done, the test becomes self‑maintaining. What do you think? I think it's a much better approach than just adding a comment, thanks for doing it! ------------- PR Comment: https://git.openjdk.org/jdk/pull/31633#issuecomment-4809779423
