RFR [12]: 8211883: Disable anon and NULL cipher suites

Sean Mullan sean.mullan at oracle.com
Tue Oct 23 19:38:29 UTC 2018


Please review this change to add the TLS anonymous and NULL cipher 
suites to the "jdk.tls.disabledAlgorithms" security property.

These suites are used rarely and have security weaknesses. Anonymous 
suites are vulnerable to man-in-the-middle attacks. NULL suites do not 
provide confidentiality. RFC 7525 [1] says: "Implementations MUST NOT 
negotiate the cipher suites with NULL encryption." Also, TLS 1.3 has 
removed them.

These suites are not enabled by default, so an application has to 
explicitly enable them using an API or the "jdk.tls.client.cipherSuites" 
or "jdk.tls.server.cipherSuites" system properties. However, adding them 
to the "jdk.tls.disabledAlgorithms" security property adds an extra 
level of protection and additional configuration change in order to use 
them.

webrev: http://cr.openjdk.java.net/~mullan/webrevs/8211883/webrev.00/

--Sean

[1] https://tools.ietf.org/html/rfc7525



More information about the security-dev mailing list