Hello,
just a comment, it Looks like IcedTea Project also made this removal optional:
https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2392
I think thats a really bad solution in case it is for PKCS11 compatibility („align with NSS“). If it is for some Kind of conformance, it should be clearly documented especially as it narros down the selection to specifically misstrustd NIST curves.
Is that really the Version shipped with RHEL7? For 8 as well? (will check and report later on)
Gruss
Bernd
--
You received this message because you are subscribed to the Google Groups "ojdkbuild" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ojdkbuild+...@googlegroups.com.
To post to this group, send email to ojdk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ojdkbuild/c65b5058-9834-4633-914a-1126c09797bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hello Alex,
Thanks for responding (and in case it was not clear, was not meant to critizie you). 😊
> In ojdkbuild NSS is used for SunEC provider the same way it is used on
> RHEL and the set of available elliptic curves is the same as on RHEL.
Hm… ok, I understood it differently (i.e. NSS used as an external Provider), but yes there might be a good reason to use NSS lib in the implementation in order to actually harmonize the native crypto Providers in RHEL – in that case the curves need to reflect the NSS ones. (this is however a major difference to openjdk in itself)
>> For 8 as well? (will check and report later on)
> I cannot comment on RHEL 8 before its release, but can confirm, that the
> same logic is used in jdk11 on Fedora [4][5][6].
Actually I meant if it is used in Java 8 and 11 for RHEL 7, Thanks for clarification.
I wonder (especially on Windows) if this is a good thing for ojdkbuild? I have the Impression most users use it as a compatible built for OpenJDK not Fedora (even when you clearly state otherwise).
Gruss
Bernd