RFR [12]: 8211883: Disable anon and NULL cipher suites
Jamil Nimeh
jamil.j.nimeh at oracle.com
Tue Oct 23 20:15:20 UTC 2018
Looks good to me.
--Jamil
On 10/23/18 12:38 PM, Sean Mullan wrote:
> Please review this change to add the TLS anonymous and NULL cipher
> suites to the "jdk.tls.disabledAlgorithms" security property.
>
> These suites are used rarely and have security weaknesses. Anonymous
> suites are vulnerable to man-in-the-middle attacks. NULL suites do not
> provide confidentiality. RFC 7525 [1] says: "Implementations MUST NOT
> negotiate the cipher suites with NULL encryption." Also, TLS 1.3 has
> removed them.
>
> These suites are not enabled by default, so an application has to
> explicitly enable them using an API or the
> "jdk.tls.client.cipherSuites" or "jdk.tls.server.cipherSuites" system
> properties. However, adding them to the "jdk.tls.disabledAlgorithms"
> security property adds an extra level of protection and additional
> configuration change in order to use them.
>
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8211883/webrev.00/
>
> --Sean
>
> [1] https://tools.ietf.org/html/rfc7525
More information about the security-dev
mailing list