Code Review Request JDK-8162362, Cannot enable previously default enabled cipher suites
Seán Coffey
sean.coffey at oracle.com
Wed Aug 3 08:13:14 UTC 2016
Hi Xuelei,
Thanks for taking this one on. I think the approach looks good. Some
minor comments ..
Can we update bug description to something like "Introduce system
property to control enabled ciphersuites"
SSLContextImpl.java :
typo : getCustomizedCipehrSuites --> getCustomizedCipherSuites
line 432, if we're in debug mode, can we print the property name handed
in from application code ?
e.g. Something like this might appear : jdk.tls.client.cipherSuites
property set to : "SSL_RSA_WITH_DES_CBC_SHA"
For the testcase, would you mind testing the new value with multiple
comma separated values ?
e.g. -Djdk.tls.client.cipherSuites="unknown, SSL_RSA_WITH_DES_CBC_SHA,
unknown1, TLS_RSA_WITH_AES_128_CBC_SHA"
On line 200, 205, I think you can then just change your test to a
String.contains("<cipher>") call.
Regards,
Sean.
On 02/08/2016 16:34, Xuelei Fan wrote:
> Ping ...
>
> On 7/29/2016 11:23 PM, Xuelei Fan wrote:
>> Hi,
>>
>> Please review the fix for JDK-8162362:
>>
>> http://cr.openjdk.java.net/~xuelei/8162362/webrev.00/
>>
>> If a cipher suite is getting weak or vulnerable, it is normally removed
>> from the default enabled list in JDK. The compatibility impact of the
>> removing is normally minimal as if there are other available cipher
>> suites enabled.
>>
>> However, some applications may want to support the disabled cipher
>> suites in JDK. If the source code is not accessible, there is not much
>> workaround to have the cipher suite back to work if it is removed from
>> the default enabled list in JDK.
>>
>> This fix introduces two new system properties, which can be used to
>> customize the default enabled cipher suites.
>>
>> The system property "jdk.tls.client.cipherSuites" is used to customize
>> the default enabled cipher suites for client side of SSL/TLS/DTLS
>> connections. Similarly, the system property
>> "jdk.tls.server.cipherSuites" is used for server side.
>>
>> The system property contains a comma-separated list of supported cipher
>> suite names specifying the default enabled cipher suites. All other
>> supported cipher suites are disabled for this default setting.
>> Unrecognized or unsupported cipher suite name specified in the property
>> is ignored. Explicit setting of enabled cipher suites will override the
>> system property.
>>
>> Thanks,
>> Xuelei
>>
More information about the security-dev
mailing list