Code Review Request JDK-8162362, Cannot enable previously default enabled cipher suites
Seán Coffey
sean.coffey at oracle.com
Wed Aug 3 10:23:31 UTC 2016
looks good.
Regards,
Sean.
On 03/08/16 10:23, Xuelei Fan wrote:
> New webrev:
> http://cr.openjdk.java.net/~xuelei/8162362/webrev.01/
>
> On 8/3/2016 4:13 PM, Seán Coffey wrote:
>> Hi Xuelei,
>>
>> Thanks for taking this one on. I think the approach looks good. Some
>> minor comments ..
>>
>> Can we update bug description to something like "Introduce system
>> property to control enabled ciphersuites"
>> SSLContextImpl.java :
>>
>> typo : getCustomizedCipehrSuites --> getCustomizedCipherSuites
>>
>> line 432, if we're in debug mode, can we print the property name handed
>> in from application code ?
>> e.g. Something like this might appear : jdk.tls.client.cipherSuites
>> property set to : "SSL_RSA_WITH_DES_CBC_SHA"
>>
>> For the testcase, would you mind testing the new value with multiple
>> comma separated values ?
>>
>> e.g. -Djdk.tls.client.cipherSuites="unknown, SSL_RSA_WITH_DES_CBC_SHA,
>> unknown1, TLS_RSA_WITH_AES_128_CBC_SHA"
>>
> All above comments get addressed in the new webrev.
>
>
>> On line 200, 205, I think you can then just change your test to a
>> String.contains("<cipher>") call.
>>
> I got the point. I want to use isEmpty() so that it is reminding me
> that empty string is special in the context. Let me use the old code.
>
> Thanks,
> Xuelei
>
>
>> Regards,
>> Sean.
>>
>> On 02/08/2016 16:34, Xuelei Fan wrote:
>>> Ping ...
>>>
>>> On 7/29/2016 11:23 PM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> Please review the fix for JDK-8162362:
>>>>
>>>> http://cr.openjdk.java.net/~xuelei/8162362/webrev.00/
>>>>
>>>> If a cipher suite is getting weak or vulnerable, it is normally removed
>>>> from the default enabled list in JDK. The compatibility impact of the
>>>> removing is normally minimal as if there are other available cipher
>>>> suites enabled.
>>>>
>>>> However, some applications may want to support the disabled cipher
>>>> suites in JDK. If the source code is not accessible, there is not much
>>>> workaround to have the cipher suite back to work if it is removed from
>>>> the default enabled list in JDK.
>>>>
>>>> This fix introduces two new system properties, which can be used to
>>>> customize the default enabled cipher suites.
>>>>
>>>> The system property "jdk.tls.client.cipherSuites" is used to customize
>>>> the default enabled cipher suites for client side of SSL/TLS/DTLS
>>>> connections. Similarly, the system property
>>>> "jdk.tls.server.cipherSuites" is used for server side.
>>>>
>>>> The system property contains a comma-separated list of supported cipher
>>>> suite names specifying the default enabled cipher suites. All other
>>>> supported cipher suites are disabled for this default setting.
>>>> Unrecognized or unsupported cipher suite name specified in the property
>>>> is ignored. Explicit setting of enabled cipher suites will override the
>>>> system property.
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
More information about the security-dev
mailing list