Code Review Request JDK-8162362, Cannot enable previously default enabled cipher suites

Seán Coffey sean.coffey at oracle.com
Wed Aug 3 08:13:14 UTC 2016 

Hi Xuelei,

Thanks for taking this one on. I think the approach looks good. Some 
minor comments ..

Can we update bug description to something like "Introduce system 
property to control enabled ciphersuites"
SSLContextImpl.java :

typo : getCustomizedCipehrSuites --> getCustomizedCipherSuites

line 432, if we're in debug mode, can we print the property name handed 
in from application code ?
e.g. Something like this might appear : jdk.tls.client.cipherSuites 
property set to : "SSL_RSA_WITH_DES_CBC_SHA"

For the testcase, would you mind testing the new value with multiple 
comma separated values ?

e.g. -Djdk.tls.client.cipherSuites="unknown, SSL_RSA_WITH_DES_CBC_SHA, 
unknown1, TLS_RSA_WITH_AES_128_CBC_SHA"

On line 200, 205, I think you can then just change your test to a 
String.contains("<cipher>") call.

Regards,
Sean.

On 02/08/2016 16:34, Xuelei Fan wrote:
> Ping ...
>
> On 7/29/2016 11:23 PM, Xuelei Fan wrote:
>> Hi,
>>
>> Please review the fix for JDK-8162362:
>>
>>     http://cr.openjdk.java.net/~xuelei/8162362/webrev.00/
>>
>> If a cipher suite is getting weak or vulnerable, it is normally removed
>> from the default enabled list in JDK.  The compatibility impact of the
>> removing is normally minimal as if there are other available cipher
>> suites enabled.
>>
>> However, some applications may want to support the disabled cipher
>> suites in JDK.  If the source code is not accessible, there is not much
>> workaround to have the cipher suite back to work if it is removed from
>> the default enabled list in JDK.
>>
>> This fix introduces two new system properties, which can be used to
>> customize the default enabled cipher suites.
>>
>> The system property "jdk.tls.client.cipherSuites" is used to customize
>> the default enabled cipher suites for client side of SSL/TLS/DTLS
>> connections. Similarly, the system property
>> "jdk.tls.server.cipherSuites" is used for server side.
>>
>> The system property contains a comma-separated list of supported cipher
>> suite names specifying the default enabled cipher suites.  All other
>> supported cipher suites are disabled for this default setting.
>> Unrecognized or unsupported cipher suite name specified in the property
>> is ignored.  Explicit setting of enabled cipher suites will override the
>> system property.
>>
>> Thanks,
>> Xuelei
>>

More information about the security-dev mailing list