Allow to define the list of enabled named curves for EC cipher suites as Security Property

[Sean Mullan]

On 8/19/19 10:10 AM, Christian Schaefer wrote:
> Hi Sean,
> 
>> -----Original Message-----
>> Subject: Re: Allow to define the list of enabled named curves for EC cipher
>> suites as Security Property
>>
>> On 8/19/19 7:33 AM, Christian Schaefer wrote:
>>> Hi all,
>>>
>>> Today, the list of enabled named curves for EC cipher suites can be
>>> specified as "System Property" (name of the system property is
>>> jdk.tls.namedGroups) in JDK 8 and later. It seems like it cannot be
>>> specified as "Security Property". So unlike jdk.tls.disabledAlgorithms
>>> and jdk.certpath.disabledAlgorithms the property jdk.tls.namedGroups
>>> cannot be specified in the security properties file (i.e.
>>> lib/security/java.security).
>>
>> In JDK 14, we have added the ability to restrict named groups (and signature
>> schemes) in the jdk.tls.disabledAlgorithms security property:
>>
>> https://bugs.openjdk.java.net/browse/JDK-8227445
>>
>> Does this address your concern?
> 
> Absolutely. Thanks a lot!
> Are there any plans to backport this to JDK 8?

Yes, I think that this is definitely something we should consider 
backporting to previous releases. I'll look further into that.

>>> Is there any chance to enhance this in a future version so that
>>> jdk.tls.namedGroups can also be specified in the security properties
>>> file or is there a reason which I don't see that explains why
>>> jdk.tls.namedGroups can only be specified as System Property?
>>
>> There's no precise reason that I know of, but the default is typically sufficient
>> and secure for most applications and the system property allows you to
>> adjust it on a per-application basis. This is similar to the system properties for
>> the enabled cipher suites:
>> jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites.
>>
> 
> Ok, perfect. Thanks,

You're welcome. Thanks for the feedback.

--Sean