RFR [12]: 8211883: Disable anon and NULL cipher suites
Sean Mullan
sean.mullan at oracle.com
Tue Oct 23 19:38:29 UTC 2018
Please review this change to add the TLS anonymous and NULL cipher
suites to the "jdk.tls.disabledAlgorithms" security property.
These suites are used rarely and have security weaknesses. Anonymous
suites are vulnerable to man-in-the-middle attacks. NULL suites do not
provide confidentiality. RFC 7525 [1] says: "Implementations MUST NOT
negotiate the cipher suites with NULL encryption." Also, TLS 1.3 has
removed them.
These suites are not enabled by default, so an application has to
explicitly enable them using an API or the "jdk.tls.client.cipherSuites"
or "jdk.tls.server.cipherSuites" system properties. However, adding them
to the "jdk.tls.disabledAlgorithms" security property adds an extra
level of protection and additional configuration change in order to use
them.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8211883/webrev.00/
--Sean
[1] https://tools.ietf.org/html/rfc7525
More information about the security-dev
mailing list