[jdk11u-dev] RFR: 8245545: Disable TLS_RSA cipher suites [v4]

Andrew John Hughes andrew at openjdk.org
Wed Dec 3 01:01:34 UTC 2025 

On Wed, 26 Nov 2025 12:08:21 GMT, David Sladký <duke at openjdk.org> wrote:

>> Backport of [JDK-8245545](https://bugs.openjdk.org/browse/JDK-8245545) - Disable TLS_RSA cipher suites
>> 
>> Some TLS suites do not preserve forward-secrecy and are not commonly used - and should not be used.
>> 
>> Not clean back port. This includes:
>> - Selection of disabled tests and some include that is in jdk11 but not in jdk17.
>> - Changed indentation of edited block of string defining disabled cipher suites.
>> - Bunch of copyright notices.
>> 
>> Tested on Fedora 43:
>> - gtests passed
>> - T1 have same fails before and after the back port -> not related to this.
>> - jtreg:test/jdk/sun/security passed.
>> - jtreg:test/jdk/javax/net/ssl passed.
>> - Github Actions passed.
>
> David Sladký has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Fix incorrect resolution of conflit in javax/net/ssl/ciphersuites/DisabledAlgorithms.java

Most of this looks ok. I see three instances with changes that shouldn't be there:

1. `test/jdk/javax/net/ssl/SSLEngine/Basics.java` acquires some refactoring from [JDK-8298867](https://bugs.openjdk.org/browse/JDK-8298867). This should just add the lines, as in other tests in 8245545, to re-enable TLS_RSA_* i.e.
~~~
+        // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*");
~~~

2. `test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java` brings in a whole bunch of indentation changes from [JDK-8301379](https://bugs.openjdk.org/browse/JDK-8301379). It should just add the additional algorithms as in 8245545.

3. `test/jdk/sun/security/pkcs11/fips/TestTLS12.java` alters the existing Red Hat copyright line for no apparent reason.

JDK-8298867 & JDK-8301379 are both test changes that are in Oracle's 11u and could be backported fully. Given we enter rampdown at the end of this week though, I would like to get this change in and those test changes can be done later if desired. We shouldn't be including chunks of them in this backport though.

-------------

Changes requested by andrew (Reviewer).

PR Review: https://git.openjdk.org/jdk11u-dev/pull/3124#pullrequestreview-3532711795

More information about the jdk-updates-dev mailing list