[jdk8u-dev] RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite [v2]

Andrew John Hughes andrew at openjdk.org
Wed Feb 18 16:05:01 UTC 2026 

On Wed, 18 Feb 2026 13:51:26 GMT, David Sladký <duke at openjdk.org> wrote:

>> Backport of [JDK-8341964](https://bugs.openjdk.org/browse/JDK-8341964) - Add mechanism to disable different parts of TLS cipher suite
>> 
>> Preparation for backport of [JDK-8245545](https://bugs.openjdk.org/browse/JDK-8245545) to comply with [Oracle JRE and JDK Cryptographic Roadmap](https://www.java.com/en/jre-jdk-cryptoroadmap.html)
>> 
>> Extra changes compared to corresponding backport in jdk11:
>> - in `jdk/test/sun/security/ssl/CipherSuite/TLSCipherSuiteWildCardMatchingDisablePartsOfCipherSuite.java` on line 58 changed `List.of()` to `Array.asList()` (and added import for it) because the former is not supported by jdk8.
>> 
>> ## Tests
>> 
>> Tested on RHEL9.
>> 
>> ### Tier 1
>> 
>> 
>> -------------- Test Summary ------------
>> 
>> Summary: jdk_tier1
>> TEST STATS: name=jdk_tier1  run=1341  pass=1341  fail=0
>> 
>> Summary: langtools_tier1
>> FAILED: tools/javac/lambda/LambdaLambdaSerialized.java
>> TEST STATS: name=langtools_tier1  run=3121  pass=3120  fail=1
>> 
>> Summary: hotspot_tier1
>> TEST STATS: name=hotspot_tier1  run=808  pass=808  fail=0
>> 
>> I rerun the failed test and it passed:
>> 
>> /root/jtreg/bin/jtreg -jdk:build/linux-x86_64-normal-server-release/images/j2sdk-image -Xmx768m langtools/test/tools/javac/lambda/LambdaLambdaSerialized.java
>> Test results: passed: 1
>> 
>> 
>> ### sun/security
>> 
>> 
>> Summary:
>> FAILED: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
>> FAILED: sun/security/pkcs11/Provider/Login.sh
>> FAILED: sun/security/pkcs11/Signature/TestDSAKeyLength.java
>> FAILED: sun/security/tools/keytool/autotest.sh
>> 
>> 
>> These same tests fail both in master and backport branch. I assume this is unrelated to this backport.
>> 
>> ### GHA
>> 
>> Passes.
>
> David Sladký has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Included requested changes from PR
>   
>   Changed Array.asList() to Utils.listOf()
>   
>   Propagated changes from `java.security-macosx` to other relevant files.
>   
>   Included omitted changes to
>   jdk/test/sun/security/ssl/CipherSuite/NoDesRC4CiphSuite.java

Thanks for adding the missing test and the additional `java.security` changes, along with the `Utils.listOf`.  Looking at the `java.security` changes directly rather than via a comparison with the 11u patch, I see another issue:

11u version:
~~~
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
-#       rsa_pkcs1_sha1, secp224r1
+#       rsa_pkcs1_sha1, secp224r1, TLS_RSA_*
~~~

8u version:
~~~
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+#       rsa_pkcs1_sha1, secp224r1, TLS_RSA_*
~~~

So the 8u version is adding content from another change, [JDK-8226374](), which is not applicable to 8u as it does not have named groups.  In just adjusting that line, it also misses adding the continuation from the line above that was in 8226374.  I think the 8u version should look like this:

~~~
-#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
+#       TLS_RSA_*
~~~

-------------

Changes requested by andrew (Reviewer).

PR Review: https://git.openjdk.org/jdk8u-dev/pull/763#pullrequestreview-3820791256

More information about the jdk8u-dev mailing list