Allow to define the list of enabled named curves for EC cipher suites as Security Property
Christian Schaefer
christian.schaefer at microfocus.com
Mon Aug 19 14:10:24 UTC 2019
Hi Sean,
> -----Original Message-----
> Subject: Re: Allow to define the list of enabled named curves for EC cipher
> suites as Security Property
>
> On 8/19/19 7:33 AM, Christian Schaefer wrote:
> > Hi all,
> >
> > Today, the list of enabled named curves for EC cipher suites can be
> > specified as "System Property" (name of the system property is
> > jdk.tls.namedGroups) in JDK 8 and later. It seems like it cannot be
> > specified as "Security Property". So unlike jdk.tls.disabledAlgorithms
> > and jdk.certpath.disabledAlgorithms the property jdk.tls.namedGroups
> > cannot be specified in the security properties file (i.e.
> > lib/security/java.security).
>
> In JDK 14, we have added the ability to restrict named groups (and signature
> schemes) in the jdk.tls.disabledAlgorithms security property:
>
> https://bugs.openjdk.java.net/browse/JDK-8227445
>
> Does this address your concern?
Absolutely. Thanks a lot!
Are there any plans to backport this to JDK 8?
>
> > Is there any chance to enhance this in a future version so that
> > jdk.tls.namedGroups can also be specified in the security properties
> > file or is there a reason which I don't see that explains why
> > jdk.tls.namedGroups can only be specified as System Property?
>
> There's no precise reason that I know of, but the default is typically sufficient
> and secure for most applications and the system property allows you to
> adjust it on a per-application basis. This is similar to the system properties for
> the enabled cipher suites:
> jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites.
>
Ok, perfect. Thanks,
Christian.
> Thanks,
> Sean
>
More information about the security-dev
mailing list