On Mon, 29 Jun 2026 18:49:54 GMT, Andreas Chmielewski 
<[email protected]> wrote:

>> test/jdk/javax/net/ssl/ciphersuites/BulkCipherDisabledAlgorithms.java line 
>> 77:
>> 
>>> 75:     private static List<String[]> buildTests() throws 
>>> NoSuchAlgorithmException {
>>> 76:         List<String[]> tests = new ArrayList<>();
>>> 77:         CipherSuite[] suites = getCipherSuites(false);
>> 
>> We are getting cipher suites here with the default 
>> `jdk.tls.disabledAlgorithms` security property set. We need to clear it 
>> (first line in `main`) to cover all possible cipher suites.
>
> That’s a good point, thanks!
> 
> My test consists of two sub-tests (testCipherSuiteVisibility and 
> testHandshake). After clearing jdk.tls.disabledAlgorithms (to cover all 
> possible cipher suites), iterating over getSupportedCipherSuites() works fine 
> for testCipherSuiteVisibility, since the goal is to verify which suites are 
> filtered out by the security property.
> 
> However, for testHandshake this approach leads to failures for some supported 
> cipher suites that are not actually handshakeable (e.g., Unsupported 
> signature algorithm: DSA for DHE_DSS suites, or anonymous cipher suites which 
> are not enabled by default). These failures are unrelated to the behavior 
> under test.
> 
> Therefore, for the handshake test it seems necessary to restrict the set to 
> suites that are both enabled by default and handshakeable (e.g., using 
> getEnabledCipherSuites() a), while still using the full supported set for the 
> visibility checks.
> 
> @artur-oracle What do you think?

Of course, for the handshake we can use the default 
`jdk.tls.disabledAlgorithms` security property. We juts want to make sure we 
decompose bulk ciphers for all cipher suites.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/31633#discussion_r3494170960

Reply via email to