[PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy (original) (raw)
Brad Wetmore bradford.wetmore at oracle.com
Thu Sep 20 03:21:02 UTC 2012
- Previous message (by thread): [PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy
- Next message (by thread): [PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
But I think someone from the security team should chime in on this.
I plan to look closer at this. On the surface, it looks acceptable to me, but I've been heads down in the SNI code: likely for one more day. Wanted to also run this by one of my other colleagues.
One thought: I'm wondering if we might want to have this switch in both Open and Closed. As long as default is off, I don't immediately see a reason to not have it.
Brad
On 9/19/2012 7:34 PM, Kelly O'Hair wrote:
It seems fine with me. But I think someone from the security team should chime in on this.
-kto On Sep 18, 2012, at 7:39 AM, Andrew Hughes wrote:
This is an issue that has been with us for a while. See:
https://bugs.openjdk.java.net/showbug.cgi?id=100062 http://bugs.sun.com/bugdatabase/viewbug.do?bugid=7188845 for some background. The original proposed patch goes to far in removing most of the infrastructure for restricting crypto levels and signing of crypto jars. The following simple webrev will achieve what I think is needed: http://cr.openjdk.java.net/~andrew/100062/webrev.01/ allowing OpenJDK to be built with the unlimited rather than limited crypto policy in place. The build is only altered if both an OpenJDK build is being performed and UNLIMITEDCRYPTO is defined. In this case, the install-unlimited rule is used to install policies. Without UNLIMITEDCRYPTO being set, OpenJDK builds still depend on install-limited as now. I believe this is a fairly unintrusive change which should allow GNU/Linux distros to ship without crypto restrictions while still using upstream OpenJDK rather than a variant with several classes removed. It's not clear to me why this approach wasn't taken before, so I hope I haven't missed something. If this looks ok, I'll push it as the resolution for bug 7188845. -- Andrew :) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) PGP Key: 248BDC07 (https://keys.indymedia.org/) Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
- Previous message (by thread): [PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy
- Next message (by thread): [PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]