RFR: Disable all DES cipher suites
Sean Mullan
sean.mullan at oracle.com
Mon Aug 20 14:19:22 UTC 2018
Looks good, just a few minor comments:
CustomizedCipherSuites.java
- should have both years (2016, 2018) on copyright
NoDesRC4CiphSuite.java
- does this need to be run in othervm mode? It doesn't look like you are
setting any properties dynamically. Lines 30-31 should also be removed,
if so.
- add comments describing what the testEngAddDisabled method does
(similar to the testEngOnlyDisabled method)
--Sean
On 8/19/18 9:06 PM, Jamil Nimeh wrote:
> Hello all,
>
> This change adds all DES cipher suites to the jdk.tls.disabledAlgorithms
> Security property. This will have the effect of making all DES-based
> suites unavailable to SunJSSE SSLSocket and SSLEngine instances, even if
> explicitly enabled using calls like SSLEngine.setEnabledCipherSuites()
> or SSLSocket.setEnabledCipherSuites(). Users wishing to re-enable these
> suites for legacy purposes must first alter the
> jdk.tls.disabledAlgorithms property in the java.security file.
>
> Please note that prior to this change, DES-based suites were available,
> but not enabled by default on SSLSocket and SSLEngine objects. This
> change just makes these suites no longer available without further
> intervention.
>
> This change also removes RC4_40 from this Security property as it is
> already superseded by the RC4 identifier. It also cleans up a
> cut-and-paste bug in a couple of the RC4_40 export suites (those suites
> are disabled already).
>
> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8208350/webrev.01/
> JBS: https://bugs.openjdk.java.net/browse/JDK-8208350
> CSR: https://bugs.openjdk.java.net/browse/JDK-8209318
>
> Thanks,
> --Jamil
More information about the security-dev
mailing list