RFR [12]: 8211883: Disable anon and NULL cipher suites

Jamil Nimeh jamil.j.nimeh at oracle.com
Tue Oct 23 20:15:20 UTC 2018


Looks good to me.

--Jamil

On 10/23/18 12:38 PM, Sean Mullan wrote:
> Please review this change to add the TLS anonymous and NULL cipher 
> suites to the "jdk.tls.disabledAlgorithms" security property.
>
> These suites are used rarely and have security weaknesses. Anonymous 
> suites are vulnerable to man-in-the-middle attacks. NULL suites do not 
> provide confidentiality. RFC 7525 [1] says: "Implementations MUST NOT 
> negotiate the cipher suites with NULL encryption." Also, TLS 1.3 has 
> removed them.
>
> These suites are not enabled by default, so an application has to 
> explicitly enable them using an API or the 
> "jdk.tls.client.cipherSuites" or "jdk.tls.server.cipherSuites" system 
> properties. However, adding them to the "jdk.tls.disabledAlgorithms" 
> security property adds an extra level of protection and additional 
> configuration change in order to use them.
>
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8211883/webrev.00/
>
> --Sean
>
> [1] https://tools.ietf.org/html/rfc7525



More information about the security-dev mailing list