On Mon, 29 Jun 2026 19:20:19 GMT, Artur Barashev <[email protected]> wrote:

>> That’s a good point, thanks!
>> 
>> My test consists of two sub-tests (testCipherSuiteVisibility and 
>> testHandshake). After clearing jdk.tls.disabledAlgorithms (to cover all 
>> possible cipher suites), iterating over getSupportedCipherSuites() works 
>> fine for testCipherSuiteVisibility, since the goal is to verify which suites 
>> are filtered out by the security property.
>> 
>> However, for testHandshake this approach leads to failures for some 
>> supported cipher suites that are not actually handshakeable (e.g., 
>> Unsupported signature algorithm: DSA for DHE_DSS suites, or anonymous cipher 
>> suites which are not enabled by default). These failures are unrelated to 
>> the behavior under test.
>> 
>> Therefore, for the handshake test it seems necessary to restrict the set to 
>> suites that are both enabled by default and handshakeable (e.g., using 
>> getEnabledCipherSuites() a), while still using the full supported set for 
>> the visibility checks.
>> 
>> @artur-oracle What do you think?
>
> Of course, for the handshake we can use the default 
> `jdk.tls.disabledAlgorithms` security property. We just want to make sure we 
> decompose bulk ciphers for all cipher suites.

done

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/31633#discussion_r3500506410

Reply via email to