[jdk8u-dev] RFR: 8279164: Disable TLS_ECDH_* cipher suites
Severin Gehwolf
sgehwolf at openjdk.org
Fri Jun 14 11:54:21 UTC 2024
On Tue, 11 Jun 2024 16:55:53 GMT, Zdenek Zambersky <zzambers at openjdk.org> wrote:
> Backport disables `TLS_ECDH_*` cipher suites.
>
> Not clean. Differences:
> - there is more than one `java.security` file on 8u (one per system), because it does not have [JDK-6997010](https://bugs.openjdk.org/browse/JDK-6997010) (Consolidate java.security files into one file with modifications)
> - changeset to `test/jdk/javax/net/ssl/DTLS/CipherSuite.java` is excluded, as there is no equivalent test on 8u, support for DTLS was only added in 9 by [JDK-8043758](https://bugs.openjdk.org/browse/JDK-8043758) (JEP 219: Datagram Transport Layer Security (DTLS))
> - Parts of changeset to remaining files had to be done by hand, because of some context differences, as there are some intermediate changes not backported to 8u. (e.g. [JDK-8163327](https://bugs.openjdk.org/browse/JDK-8163327) (Remove 3DES from the default enabled cipher suites list))
>
> Testing:
> tier1: OK (only [known](https://bugs.openjdk.org/browse/JDK-8333788) CAInterop failures)
> jdk_security: [OK](https://github.com/zzambers/jdk8u-dev/actions/runs/9466037907) (tested with modified GHA on top, modified security tests (by backport) passed, no regressions to [master](https://github.com/zzambers/jdk8u-dev/actions/runs/9467711902))
Looks good. Only a few nit-picks.
jdk/src/share/lib/security/java.security-aix line 706:
> 704: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
> 705: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
> 706: DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH, \
Please move the `ECDH` addition to a new line to match the [JDK 11 backport](https://github.com/openjdk/jdk11u-dev/commit/5dddf69319480251cdc904cf7a1d4fcd81573bb8) more closely.
Suggestion:
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
ECDH, \
jdk/src/share/lib/security/java.security-linux line 706:
> 704: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
> 705: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
> 706: DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH, \
start a new line here as well.
-------------
PR Review: https://git.openjdk.org/jdk8u-dev/pull/519#pullrequestreview-2118196988
PR Review Comment: https://git.openjdk.org/jdk8u-dev/pull/519#discussion_r1639706504
PR Review Comment: https://git.openjdk.org/jdk8u-dev/pull/519#discussion_r1639706738
More information about the jdk8u-dev
mailing list