Code Review Request JDK-8162362, Cannot enable previously default enabled cipher suites
Xuelei Fan
xuelei.fan at oracle.com
Fri Jul 29 15:23:15 UTC 2016
Hi,
Please review the fix for JDK-8162362:
http://cr.openjdk.java.net/~xuelei/8162362/webrev.00/
If a cipher suite is getting weak or vulnerable, it is normally removed
from the default enabled list in JDK. The compatibility impact of the
removing is normally minimal as if there are other available cipher
suites enabled.
However, some applications may want to support the disabled cipher
suites in JDK. If the source code is not accessible, there is not much
workaround to have the cipher suite back to work if it is removed from
the default enabled list in JDK.
This fix introduces two new system properties, which can be used to
customize the default enabled cipher suites.
The system property "jdk.tls.client.cipherSuites" is used to customize
the default enabled cipher suites for client side of SSL/TLS/DTLS
connections. Similarly, the system property
"jdk.tls.server.cipherSuites" is used for server side.
The system property contains a comma-separated list of supported cipher
suite names specifying the default enabled cipher suites. All other
supported cipher suites are disabled for this default setting.
Unrecognized or unsupported cipher suite name specified in the property
is ignored. Explicit setting of enabled cipher suites will override the
system property.
Thanks,
Xuelei
More information about the security-dev
mailing list