RFR: Disable all DES cipher suites

Jamil Nimeh jamil.j.nimeh at oracle.com
Mon Aug 20 14:33:28 UTC 2018 

I can fix the copyright, no problem.  Good catch on the othervm - the 
original form of the test did set properties but it seemed better to not 
set them explicitly and just use the new defaults. One would not expect 
to ever remove DES and RC4 from the disabledAlgorithms identifier set, 
at least in our delivered code. It doesn't need to be run in othervm 
mode.  And I can comment those other two tests.

Thanks,
--Jamil

On 8/20/2018 7:19 AM, Sean Mullan wrote:
> Looks good, just a few minor comments:
>
> CustomizedCipherSuites.java
>
> - should have both years (2016, 2018) on copyright
>
> NoDesRC4CiphSuite.java
>
> - does this need to be run in othervm mode? It doesn't look like you 
> are setting any properties dynamically. Lines 30-31 should also be 
> removed, if so.
>
> - add comments  describing what the testEngAddDisabled method does 
> (similar to the testEngOnlyDisabled method)
>
> --Sean
>
> On 8/19/18 9:06 PM, Jamil Nimeh wrote:
>> Hello all,
>>
>> This change adds all DES cipher suites to the 
>> jdk.tls.disabledAlgorithms Security property.  This will have the 
>> effect of making all DES-based suites unavailable to SunJSSE 
>> SSLSocket and SSLEngine instances, even if explicitly enabled using 
>> calls like SSLEngine.setEnabledCipherSuites() or 
>> SSLSocket.setEnabledCipherSuites().  Users wishing to re-enable these 
>> suites for legacy purposes must first alter the 
>> jdk.tls.disabledAlgorithms property in the java.security file.
>>
>> Please note that prior to this change, DES-based suites were 
>> available, but not enabled by default on SSLSocket and SSLEngine 
>> objects.  This change just makes these suites no longer available 
>> without further intervention.
>>
>> This change also removes RC4_40 from this Security property as it is 
>> already superseded by the RC4 identifier.  It also cleans up a 
>> cut-and-paste bug in a couple of the RC4_40 export suites (those 
>> suites are disabled already).
>>
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8208350/webrev.01/
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8208350
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8209318
>>
>> Thanks,
>> --Jamil

More information about the security-dev mailing list