[8u, 11u] Disabling TLS 1.0/1.1 in 8u292/11.0.11 ?
Martin Balao
mbalao at redhat.com
Thu Nov 26 20:23:41 UTC 2020
Hello,
I believe we should keep OpenJDK 8 and 11 aligned to Oracle's JDK [0]
and other TLS implementations as well, and remove TLS 1.0 and TLS 1.1
from a default configuration in April 2021. It's not only about the
protocol being completely broken (as is the case for TLS 1.0) but
improving the security posture by using better crypto primitives and
more reliable configurations. There has been plenty of time in advance
for users to make the necessary changes.
On 11/19/20 4:54 PM, Bernd Eckenfels wrote:
> I don’t really understand why this has to be disabled. I can somewhat understand why the protocols are removed from the default context (however removing it from tlsv1 seems odd). But disabling it means you cannot programmatically turn it on...
>
> I think the common understanding is, that tls1.1 is not optimal and hard to configure well, but it is not considered broken, or?
>
> We encounter quite a few customers who would have to modify the JDK installation in that case. Can it be de-disabled (new word!) as a system property, maybe?
>
In my view, what's being suggested is to add TLSv1.0 and TLSv1.1 to the
'jdk.tls.disabledAlgorithms' list in java.security [1], as it was
previously done for SSLv3 in JDK-8061210 [2]. Protocol support won't
-and shouldn't- be removed from the JDK 8 or 11 [3]. This means that it
could be available if you change the property value in the configuration
[4] [5].
Thanks,
Martin.-
--
[0] - https://java.com/en/jre-jdk-cryptoroadmap.html
[1] -
https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/c7c0c3c9f33c/src/share/lib/security/java.security-linux#l654
[2] - https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/rev/1c0cc3bbe07d
[3] -
https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/c7c0c3c9f33c/src/share/classes/sun/security/ssl/SSLContextImpl.java#l540
[4] -
https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/c7c0c3c9f33c/src/share/classes/sun/security/ssl/ProtocolVersion.java#l153
[5] -
https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/c7c0c3c9f33c/src/share/classes/sun/security/ssl/SSLContextImpl.java#l478
More information about the jdk-updates-dev
mailing list