On 3/30/20 4:47 PM, Alex Scheel wrote:
For one example here, take the long-standing Debian ticket against
Dogtag:
https://www.pagure.io/dogtagpki/issue/3088
OpenJDK 11 moved to TLS v1.3, but didn't fully implement the spec: PHA isn't
available. This is a requirement for our particular application.
It isn't clear why forcing TLS v1.2 didn't fix this issue. TLS v1.2 works fine
on OpenJDK 8. IMO, this makes it a JDK11 bug. And not the type we have time to
debug and figure out what broke in OpenJDK.
With the introduction of JSS's SSLEngine, we can work around this problem, but
that isn't yet merged.
https://github.com/dogtagpki/jss/pull/150
Tricky. It's kinda inevitable that some things will break at some time. We
have to decide whether Dogtag is a blocker for JDK 11 as system JDK.
--
Andrew Haley (he/him)
Java Platform Lead Engineer
Red Hat UK Ltd. <
https://www.redhat.com>
https://keybase.io/andrewhaley
EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671