Code Review Request JDK-8162362, Cannot enable previously default enabled cipher suites

Xuelei Fan xuelei.fan at oracle.com
Wed Aug 3 09:23:19 UTC 2016 

New webrev:
   http://cr.openjdk.java.net/~xuelei/8162362/webrev.01/

On 8/3/2016 4:13 PM, Seán Coffey wrote:
> Hi Xuelei,
> 
> Thanks for taking this one on. I think the approach looks good. Some
> minor comments ..
> 
> Can we update bug description to something like "Introduce system
> property to control enabled ciphersuites"
> SSLContextImpl.java :
> 
> typo : getCustomizedCipehrSuites --> getCustomizedCipherSuites
> 
> line 432, if we're in debug mode, can we print the property name handed
> in from application code ?
> e.g. Something like this might appear : jdk.tls.client.cipherSuites
> property set to : "SSL_RSA_WITH_DES_CBC_SHA"
> 
> For the testcase, would you mind testing the new value with multiple
> comma separated values ?
> 
> e.g. -Djdk.tls.client.cipherSuites="unknown, SSL_RSA_WITH_DES_CBC_SHA,
> unknown1, TLS_RSA_WITH_AES_128_CBC_SHA"
> 
All above comments get addressed in the new webrev.


> On line 200, 205, I think you can then just change your test to a
> String.contains("<cipher>") call.
>
I got the point.  I want to use isEmpty() so that it is reminding me
that empty string is special in the context.  Let me use the old code.

Thanks,
Xuelei


> Regards,
> Sean.
> 
> On 02/08/2016 16:34, Xuelei Fan wrote:
>> Ping ...
>>
>> On 7/29/2016 11:23 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Please review the fix for JDK-8162362:
>>>
>>>     http://cr.openjdk.java.net/~xuelei/8162362/webrev.00/
>>>
>>> If a cipher suite is getting weak or vulnerable, it is normally removed
>>> from the default enabled list in JDK.  The compatibility impact of the
>>> removing is normally minimal as if there are other available cipher
>>> suites enabled.
>>>
>>> However, some applications may want to support the disabled cipher
>>> suites in JDK.  If the source code is not accessible, there is not much
>>> workaround to have the cipher suite back to work if it is removed from
>>> the default enabled list in JDK.
>>>
>>> This fix introduces two new system properties, which can be used to
>>> customize the default enabled cipher suites.
>>>
>>> The system property "jdk.tls.client.cipherSuites" is used to customize
>>> the default enabled cipher suites for client side of SSL/TLS/DTLS
>>> connections. Similarly, the system property
>>> "jdk.tls.server.cipherSuites" is used for server side.
>>>
>>> The system property contains a comma-separated list of supported cipher
>>> suite names specifying the default enabled cipher suites.  All other
>>> supported cipher suites are disabled for this default setting.
>>> Unrecognized or unsupported cipher suite name specified in the property
>>> is ignored.  Explicit setting of enabled cipher suites will override the
>>> system property.
>>>
>>> Thanks,
>>> Xuelei
>>>
>

More information about the security-dev mailing list