Shall TLS_EMPTY_RENEGOTIATION_INFO_SCSV really be disabled via jdk.tls.disabledAlgorithms=...,NULL or is it an unwanted side effect of JDK-8211883?

Sean Mullan sean.mullan at oracle.com
Tue Jan 22 21:46:11 UTC 2019 

Hi Christoph,

Yes, this indeed looks like a bug. The jdk.tls.disabledAlgorithms 
security property probably should not restrict suites that are not 
negotiable like TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Please feel free to file a bug or else Sean Coffey or I can do that on 
your behalf tomorrow. The information below should be enough details to 
put in the bug.

Thanks,
Sean

On 1/22/19 2:57 PM, Langer, Christoph wrote:
> Hi security experts,
> 
> one of our customers is running into an issue with a Tomcat application 
> after JDK-8211883 [1]. It seems that because of adding NULL to 
> jdk.tls.disabledAlgorithms, the pseudo cipher suite 
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled. Seems like, according to 
> CipherSuite.java [2], it is considered a NULL cipher. The 
> tracing/reproducer shows that it’s definitely disabled via 
> jdk.tls.disabledAlgorithms=NULL.
> 
> However, with my limited knowledge of TLS and ciphersuites and googling 
> around, I understand that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is part of 
> the RFC 5746 specification [3], which is still considered secure and 
> state of the art for renegotiation. Is that correct?
> 
> The effect now in the customer application is that the client sends the 
> SCSV and the Tomcat SSL Engine checks for the presence of the SCSV 
> cipher in the cipher suites [4]. Since it is not present, the handshake 
> is stopped by removing all ciphers [5].
> 
> I also understand the Oracle readme about the renegotiation topic, that 
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV is a thing to have but not to disable.
> 
> Please let me know, if you agree with my analysis. If so, could you 
> please file a bug or tell me to do so? Otherwise let me know what I’m 
> missing. The workaround for the customer is to remove the NULL entry 
> from jdk.tls.disabledAlgorithms for the time being. I guess that’s a bit 
> more secure than setting “sun.security.ssl.allowUnsafeRenegotiation” ��
> 
> Thanks
> 
> Christoph
> 
> [1] https://bugs.openjdk.java.net/browse/JDK-8211883
> 
> [2] 
> http://hg.openjdk.java.net/jdk/jdk/file/1ae823617395/src/java.base/share/classes/sun/security/ssl/CipherSuite.java#l312
> 
> [3] http://www.ietf.org/rfc/rfc5746.txt
> 
> [4] 
> https://github.com/apache/tomcat70/blob/600d5c81aafee7e95fe07c3b9182f37741e2d0d8/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L145 
> 
> 
> [5] 
> https://github.com/apache/tomcat70/blob/600d5c81aafee7e95fe07c3b9182f37741e2d0d8/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L293 
> 
> 
> [6] 
> https://www.oracle.com/technetwork/java/javase/overview/tlsreadme2-176330.html 
> 
>

More information about the security-dev mailing list