[jdk17u-dev] RFR: 8279164: Disable TLS_ECDH_* cipher suites

Andrew John Hughes andrew at openjdk.org
Fri Jun 14 13:53:22 UTC 2024 

On Mon, 10 Jun 2024 10:25:33 GMT, Martin Doerr <mdoerr at openjdk.org> wrote:

> Backport of [JDK-8279164](https://bugs.openjdk.org/browse/JDK-8279164). The test changes in DisabledAlgorithms.java needed manual integration. The rest applies cleanly.

I believe there's an error in this backport. In trunk, the change in `test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java` is as follows:

~~~
-    // supported 3DES, DES, RC4, NULL, and anon cipher suites
-    // it does not contain KRB5 cipher suites because they need a KDC
-    private static final String[] desede_des_rc4_null_anon_ciphersuites
+    // disabled 3DES, DES, RC4, NULL, anon, and ECDH cipher suites
+    private static final String[] disabled_ciphersuites
~~~

and

~~~
@@ -109,7 +108,19 @@ public class DisabledAlgorithms {
         "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
         "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
         "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_RSA_WITH_3DES_EDE_CBC_SHA"
+        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
+        "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
~~~

In backporting to 17u, changes related to 3DES from [JDK-8163327](https://bugs.openjdk.org/browse/JDK-8163327) have been incorporated that don't belong in this fix.

~~~
-    // supported RC4, NULL, and anon cipher suites
-    // it does not contain KRB5 cipher suites because they need a KDC
-    private static final String[] rc4_null_anon_ciphersuites = new String[] {
+    // disabled 3DES, DES, RC4, NULL, anon, and ECDH cipher suites
+    private static final String[] disabled_ciphersuites
+        = new String[] {
~~~

and

~~~
-        "TLS_ECDH_anon_WITH_RC4_128_SHA"
+        "TLS_ECDH_anon_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
+        "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
~~~

We shouldn't be adding 3DES here. This is not part of this PR. I'll file a bug to get this fixed. It also seems to affect the 11u backport. I spotted this when reviewing the 8u one, which, being based on trunk, did not have this addition when compared with the 11u one.

-------------

PR Comment: https://git.openjdk.org/jdk17u-dev/pull/2559#issuecomment-2168097720

More information about the jdk-updates-dev mailing list