Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid loading general symlinks first #966

Merged
merged 2 commits into from
Mar 26, 2025
Merged

Avoid loading general symlinks first #966

merged 2 commits into from
Mar 26, 2025

Conversation

KostasTsiounis
Copy link
Contributor

In a few situations, such as in RHEL systems in FIPS mode, where OpenSSL is in FIPS mode as well, loading a general symlink is a security concern and leads to failure, so versioned libraries should be preferred.

Signed-off-by: Kostas Tsiounis [email protected]

@KostasTsiounis
Avoid loading general symlinks first
f1a52ab 
In a few situations, such as in RHEL systems in FIPS
mode, where OpenSSL is in FIPS mode as well, loading
a general symlink is a security concern and leads to
failure, so versioned libraries should be preferred.

Signed-off-by: Kostas Tsiounis <[email protected]>
@pshipton pshipton requested a review from keithc-ca March 19, 2025 20:46
@KostasTsiounis KostasTsiounis mentioned this pull request Mar 20, 2025
Closed
@keithc-ca
Copy link
Member

Jenkins test sanity amac jdknext

@keithc-ca
Copy link
Member

functional.sanity testing failed due to eclipse-openj9/openj9#21463.

@keithc-ca
Copy link
Member

Please review the failure of java/security/KeyAgreement/Generic.java and explain why it is unrelated to this change.

@KostasTsiounis
Copy link
Contributor Author

Please review the failure of java/security/KeyAgreement/Generic.java and explain why it is unrelated to this change.

I've rebuilt without my changes (with head stream) and it fails there too. I've looked further into it and the reason is that the engineGenerateSecret() method on ECDHKeyAgreement was updated with the changes coming from upstream, but we use our NativeECDHKeyAgreement class that uses OpenSSL that doesn't have these updates. I have opened an issue on our wall to sync up those two.

@keithc-ca keithc-ca merged commit 2a33f06 into ibmruntimes:openj9 Mar 26, 2025
3 of 6 checks passed
This was referenced Mar 26, 2025
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keithc-ca keithc-ca keithc-ca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KostasTsiounis @keithc-ca