[jdk8u-dev] RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite [v4]

Severin Gehwolf sgehwolf at openjdk.org
Thu Feb 19 16:05:34 UTC 2026 

On Wed, 18 Feb 2026 16:42:33 GMT, David Sladký <duke at openjdk.org> wrote:

>> Backport of [JDK-8341964](https://bugs.openjdk.org/browse/JDK-8341964) - Add mechanism to disable different parts of TLS cipher suite
>> 
>> Preparation for backport of [JDK-8245545](https://bugs.openjdk.org/browse/JDK-8245545) to comply with [Oracle JRE and JDK Cryptographic Roadmap](https://www.java.com/en/jre-jdk-cryptoroadmap.html)
>> 
>> Extra changes compared to corresponding backport in jdk11:
>> - in `jdk/test/sun/security/ssl/CipherSuite/TLSCipherSuiteWildCardMatchingDisablePartsOfCipherSuite.java` on line 58 changed `List.of()` to `Array.asList()` (and added import for it) because the former is not supported by jdk8.
>> 
>> ## Tests
>> 
>> Tested on RHEL9.
>> 
>> ### Tier 1
>> 
>> 
>> -------------- Test Summary ------------
>> 
>> Summary: jdk_tier1
>> TEST STATS: name=jdk_tier1  run=1341  pass=1341  fail=0
>> 
>> Summary: langtools_tier1
>> FAILED: tools/javac/lambda/LambdaLambdaSerialized.java
>> TEST STATS: name=langtools_tier1  run=3121  pass=3120  fail=1
>> 
>> Summary: hotspot_tier1
>> TEST STATS: name=hotspot_tier1  run=808  pass=808  fail=0
>> 
>> I rerun the failed test and it passed:
>> 
>> /root/jtreg/bin/jtreg -jdk:build/linux-x86_64-normal-server-release/images/j2sdk-image -Xmx768m langtools/test/tools/javac/lambda/LambdaLambdaSerialized.java
>> Test results: passed: 1
>> 
>> 
>> ### sun/security
>> 
>> 
>> Summary:
>> FAILED: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
>> FAILED: sun/security/pkcs11/Provider/Login.sh
>> FAILED: sun/security/pkcs11/Signature/TestDSAKeyLength.java
>> FAILED: sun/security/tools/keytool/autotest.sh
>> 
>> 
>> These same tests fail both in master and backport branch. I assume this is unrelated to this backport.
>> 
>> ### GHA
>> 
>> Passes.
>
> David Sladký has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR. The pull request contains one new commit since the last revision:
> 
>   Fixed up incorrect examples.

I guess this change.

jdk/src/share/lib/security/java.security-aix line 709:

> 707: # Example:
> 708: #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
> 709: #       rsa_pkcs1_sha1, secp224r1, TLS_RSA_*

Suggestion:

#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
#       TLS_RSA_*

-------------

PR Review: https://git.openjdk.org/jdk8u-dev/pull/763#pullrequestreview-3826833332
PR Review Comment: https://git.openjdk.org/jdk8u-dev/pull/763#discussion_r2828710641

More information about the jdk8u-dev mailing list