[Info-vax] Programming languages on VMS
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Fri Feb 9 17:13:49 EST 2018
On 2018-02-09 19:39:44 +0000, Arne Vajh��j said:
> On 2/8/2018 11:33 AM, Stephen Hoffman wrote:
>> HPE and VSI can and should be providing patches to Java, though there
>> haven't been patches or updates kitted and tested and passed through
>> for OpenVMS based on the various Oracle security updates.
>
> They release occasionally.
>
> 5.0 got an update 9 in April 2016 equivalent to Oracle 1.5.0_85.
>
> 6.0 got an update 7 in September 2017 equivalent to Oracle 1.6.0_151.
Those are very old versions of Java.
Versions prior to Java 8 lack supported for modern DHE lengths; 2048 or
longer is preferred, 1024 minimally, and Java 7 was limited to 768 bits
IIRC.
Versions prior to Java 7 lack support for TLSv1.2, which is a basic
requirement for SSL in recent times. Audits have bagged OpenVMS Java
at a number of sites for this omission.
I'm presently chasing a different down-revision TLS mess and one not
related to Java, too. But I digress.
VSI and HPE do have Java 8 available for OpenVMS I64 V8.4 and later,
and that can use 2048-bit DHE, and offers SNI and other capabilities;
e.g. setting jdk.tls.ephemeralDHKeySize to 2048, preferably.
The current OpenVMS port is based on Java 8 update 51, where the
current version of Java 8 is update 161 released 16-Jan-2018. This is
a problem for some.
No, I don't particularly follow Java nor Java security.
Yes, we're on an upgrade treadmill, and it's just not going to slow
down. Get used to it. We all have no choice but to get faster at it,
too.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list