[jdk8u-dev] RFR: 8279164: Disable TLS_ECDH_* cipher suites [v2]
Zdenek Zambersky
zzambers at openjdk.org
Mon Jun 17 10:19:28 UTC 2024
On Fri, 14 Jun 2024 15:50:38 GMT, Zdenek Zambersky <zzambers at openjdk.org> wrote:
>> Backport disables `TLS_ECDH_*` cipher suites.
>>
>> Not clean. Differences:
>> - there is more than one `java.security` file on 8u (one per system), because it does not have [JDK-6997010](https://bugs.openjdk.org/browse/JDK-6997010) (Consolidate java.security files into one file with modifications)
>> - changeset to `test/jdk/javax/net/ssl/DTLS/CipherSuite.java` is excluded, as there is no equivalent test on 8u, support for DTLS was only added in 9 by [JDK-8043758](https://bugs.openjdk.org/browse/JDK-8043758) (JEP 219: Datagram Transport Layer Security (DTLS))
>> - Parts of changeset to remaining files had to be done by hand, because of some context differences, as there are some intermediate changes not backported to 8u. (e.g. [JDK-8163327](https://bugs.openjdk.org/browse/JDK-8163327) (Remove 3DES from the default enabled cipher suites list))
>>
>> Testing:
>> tier1: OK (only [known](https://bugs.openjdk.org/browse/JDK-8333788) CAInterop failures)
>> jdk_security: [OK](https://github.com/zzambers/jdk8u-dev/actions/runs/9466037907) (tested with modified GHA on top, modified security tests (by backport) passed, no regressions to [master](https://github.com/zzambers/jdk8u-dev/actions/runs/9467711902))
>
> Zdenek Zambersky has updated the pull request incrementally with one additional commit since the last revision:
>
> Put ECDH on new line
> > Note: I was a bit puzzled to see "SSL_RSA_WITH_3DES_EDE_CBC_SHA" in the 11u-dev patch as 8163327 has not been backported to 11u. Looks like the JDK main line patch was extending the `disabled_ciphersuites` list in DisabledAlgorithms.java but in 11u they (mistakenly?) added `SSL_RSA_WITH_3DES_EDE_CBC_SHA`.
>
> Yes, I noted that above and on the 17u backport: [openjdk/jdk17u-dev#2559 (comment)](https://github.com/openjdk/jdk17u-dev/pull/2559#issuecomment-2168097720) I'll open a bug to fix 11u & 17u. It looks like 8u avoided the issue by starting from the trunk patch.
Yy, I did backport directly from openjdk/jdk. (I did not wait to 17u/11u, as backport would not be clean anyway.)
-------------
PR Comment: https://git.openjdk.org/jdk8u-dev/pull/519#issuecomment-2172974726
More information about the jdk8u-dev
mailing list