[8u, 11u] Disabling TLS 1.0/1.1 in 8u292/11.0.11 ?
Gil Tene
gil at azul.com
Thu Nov 26 20:36:55 UTC 2020
+1
> On Nov 26, 2020, at 12:23 PM, Martin Balao <mbalao at redhat.com> wrote:
>
> Hello,
>
> I believe we should keep OpenJDK 8 and 11 aligned to Oracle's JDK [0]
> and other TLS implementations as well, and remove TLS 1.0 and TLS 1.1
> from a default configuration in April 2021. It's not only about the
> protocol being completely broken (as is the case for TLS 1.0) but
> improving the security posture by using better crypto primitives and
> more reliable configurations. There has been plenty of time in advance
> for users to make the necessary changes.
>
> On 11/19/20 4:54 PM, Bernd Eckenfels wrote:
>> I don’t really understand why this has to be disabled. I can somewhat understand why the protocols are removed from the default context (however removing it from tlsv1 seems odd). But disabling it means you cannot programmatically turn it on...
>>
>> I think the common understanding is, that tls1.1 is not optimal and hard to configure well, but it is not considered broken, or?
>>
>> We encounter quite a few customers who would have to modify the JDK installation in that case. Can it be de-disabled (new word!) as a system property, maybe?
>>
>
> In my view, what's being suggested is to add TLSv1.0 and TLSv1.1 to the
> 'jdk.tls.disabledAlgorithms' list in java.security [1], as it was
> previously done for SSLv3 in JDK-8061210 [2]. Protocol support won't
> -and shouldn't- be removed from the JDK 8 or 11 [3]. This means that it
> could be available if you change the property value in the configuration
> [4] [5].
>
> Thanks,
> Martin.-
>
> --
> [0] - https://java.com/en/jre-jdk-cryptoroadmap.html
> [1] -
> https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/c7c0c3c9f33c/src/share/lib/security/java.security-linux#l654
> [2] - https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/rev/1c0cc3bbe07d
> [3] -
> https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/c7c0c3c9f33c/src/share/classes/sun/security/ssl/SSLContextImpl.java#l540
> [4] -
> https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/c7c0c3c9f33c/src/share/classes/sun/security/ssl/ProtocolVersion.java#l153
> [5] -
> https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/c7c0c3c9f33c/src/share/classes/sun/security/ssl/SSLContextImpl.java#l478
>
More information about the jdk-updates-dev
mailing list