Yes, you are right. I know the providers have their preference and we are
installing Corretto as the first one.
So if a service is not there it will just search where it is next. I completely
forgot this aspect of it ... Folks from Corretto forgot to mention this
behavior as well, interesting. It is not as we are going to use this _as the
only provider_.
In that case I think we can set it as default.
We just need to be cautious to not use e.g Cipher.getInstance("algorithm",
"provider") - provider being "AmazonCorrettoCryptoProvider" or anything like
that. In other words, as long as we are not specifying a concrete provider to
get an instance from, we should be safe. I looked over the codebase and we are
not using it anywhere.
________________________________________
From: J. D. Jordan <[email protected]>
Sent: Wednesday, July 26, 2023 14:32
To: [email protected]
Subject: Re: [DISCUSS] Using ACCP or tc-native by default
NetApp Security WARNING: This is an external email. Do not click links or open
attachments unless you recognize the sender and know the content is safe.
I thought the crypto providers were supposed to “ask the next one down the
line” if something is not supported? Have you tried some unsupported thing and
seen it break? My understanding of the providers being an ordered list was
that isn’t supposed to happen.
-Jeremiah
On Jul 26, 2023, at 3:23 AM, Mick Semb Wever <[email protected]> wrote:
That means that if somebody is on 4.0 and they upgrade to 5.0, if they use some
ciphers / protocols / algorithms which are not in Corretto, it might break
their upgrade.
If there's any risk of breaking upgrades we have to go with (2). We support a
variation of JCE configurations, and I don't see we have the test coverage in
place to de-risk it other than going with (2).
Once the yaml configuration is in place we can then change the default in the
next major version 6.0.
