Shall TLS_EMPTY_RENEGOTIATION_INFO_SCSV really be disabled via jdk.tls.disabledAlgorithms=...,NULL or is it an unwanted side effect of JDK-8211883?

Sean Mullan sean.mullan at oracle.com
Tue Jan 22 21:56:54 UTC 2019


Actually a bug for this has just been filed by SAP: 
https://bugs.openjdk.java.net/browse/JDK-8217579. Since it came in via 
webbugs, it has been initially marked Confidential. We can probably just 
use this bug. I'll copy in more details and open it up.

--Sean

On 1/22/19 4:46 PM, Sean Mullan wrote:
> Hi Christoph,
> 
> Yes, this indeed looks like a bug. The jdk.tls.disabledAlgorithms 
> security property probably should not restrict suites that are not 
> negotiable like TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
> 
> Please feel free to file a bug or else Sean Coffey or I can do that on 
> your behalf tomorrow. The information below should be enough details to 
> put in the bug.
> 
> Thanks,
> Sean
> 
> On 1/22/19 2:57 PM, Langer, Christoph wrote:
>> Hi security experts,
>>
>> one of our customers is running into an issue with a Tomcat 
>> application after JDK-8211883 [1]. It seems that because of adding 
>> NULL to jdk.tls.disabledAlgorithms, the pseudo cipher suite 
>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled. Seems like, according 
>> to CipherSuite.java [2], it is considered a NULL cipher. The 
>> tracing/reproducer shows that it’s definitely disabled via 
>> jdk.tls.disabledAlgorithms=NULL.
>>
>> However, with my limited knowledge of TLS and ciphersuites and 
>> googling around, I understand that TLS_EMPTY_RENEGOTIATION_INFO_SCSV 
>> is part of the RFC 5746 specification [3], which is still considered 
>> secure and state of the art for renegotiation. Is that correct?
>>
>> The effect now in the customer application is that the client sends 
>> the SCSV and the Tomcat SSL Engine checks for the presence of the SCSV 
>> cipher in the cipher suites [4]. Since it is not present, the 
>> handshake is stopped by removing all ciphers [5].
>>
>> I also understand the Oracle readme about the renegotiation topic, 
>> that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is a thing to have but not to 
>> disable.
>>
>> Please let me know, if you agree with my analysis. If so, could you 
>> please file a bug or tell me to do so? Otherwise let me know what I’m 
>> missing. The workaround for the customer is to remove the NULL entry 
>> from jdk.tls.disabledAlgorithms for the time being. I guess that’s a 
>> bit more secure than setting 
>> “sun.security.ssl.allowUnsafeRenegotiation” 😉
>>
>> Thanks
>>
>> Christoph
>>
>> [1] https://bugs.openjdk.java.net/browse/JDK-8211883
>>
>> [2] 
>> http://hg.openjdk.java.net/jdk/jdk/file/1ae823617395/src/java.base/share/classes/sun/security/ssl/CipherSuite.java#l312 
>>
>>
>> [3] http://www.ietf.org/rfc/rfc5746.txt
>>
>> [4] 
>> https://github.com/apache/tomcat70/blob/600d5c81aafee7e95fe07c3b9182f37741e2d0d8/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L145 
>>
>>
>> [5] 
>> https://github.com/apache/tomcat70/blob/600d5c81aafee7e95fe07c3b9182f37741e2d0d8/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L293 
>>
>>
>> [6] 
>> https://www.oracle.com/technetwork/java/javase/overview/tlsreadme2-176330.html 
>>
>>



More information about the security-dev mailing list