JDK-8181876 : Ignore named groups that are not supported by the underlying key generation
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8u161,9.0.4,10
  • Priority: P3
  • Status: Closed
  • Resolution: Won't Fix
  • Submitted: 2017-06-09
  • Updated: 2017-09-27
  • Resolved: 2017-06-20
Related Reports
Blocks :  
JDK-8140436 - Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS
Description
Even a named group are valid as an algorithm parameter, the underlying key generation may not be able to use the named groups for key generation or key agreement.

Need to ignore such groups, otherwise, there are potential compatibility problems if the underlying providers support different set of parameters and key generation/agreement.
Comments
If a DH group parameters is supported by the underlying provider, the key pair generation should also be supported. Otherwise, there are other kind of problems to use the DH parameters in practice. Adding additional checking for key generation is not performance friendly. May not worthy a update in JSSE. If a JCE provider is not consistent in the parameters and key pair generation, please consider to have the consistency. The update is ready to use, but I'd like to close it as "will not fix". See webrev: http://cr.openjdk.java.net/~xuelei/8181876/webrev.00/ No impact on JDk 9 and 10 as the underlying JDK providers support all FFDHE names groups.
20-06-2017