[15] RFR: 8238560: Cleanup and consolidate algorithms in the jdk.tls.legacyAlgorithms security property

Sean Mullan sean.mullan at oracle.com
Thu Feb 20 20:59:56 UTC 2020


Hi Bernd,

On 2/20/20 12:48 PM, Bernd Eckenfels wrote:
> Hello Sean,
> 
> Are the separate entries for 3DES and DES needed or can they also be 
> collapsed?

DES will not match 3DES if that's what you mean, so yes the separate 
entries are needed.

> BTW i am always unsre about the interactions of setting the Protocol and 
> the enabled ciphers so I am in the habit to set the protocols before 
> using getEnabled or setting enabled ciphers. I guess it makes no 
> difference but for that reason I would move line 76 before 73  in the test.

I don't think it matters, but I switched it in any case.

Also, your comment made me realize I missed testing a 3DES suite, so I 
added "TLS_RSA_WITH_3DES_EDE_CBC_SHA" to the list of LEGACY_SUITES in 
the test. It's a minor change, so I'm not posting another webrev.

--Sean

> 
> Gruss
> Bernd
> -- 
> http://bernd.eckenfels.net
> ------------------------------------------------------------------------
> *Von:* security-dev <security-dev-bounces at openjdk.java.net> im Auftrag 
> von Sean Mullan <sean.mullan at oracle.com>
> *Gesendet:* Thursday, February 20, 2020 2:01:59 PM
> *An:* security Dev OpenJDK <security-dev at openjdk.java.net>
> *Betreff:* [15] RFR: 8238560: Cleanup and consolidate algorithms in the 
> jdk.tls.legacyAlgorithms security property
> Please review this change to cleanup and consolidate the default value
> of the jdk.tls.legacyAlgorithms security property. The following changes
> have been made:
> 
> 1. Changed K_NULL, C_NULL, M_NULL to NULL, which will cover all null
> cipher suites. The *_NULL algorithms were implementation details and not
> compliant with the specification of the property.
> 
> 2. Changed DH_anon, ECDH_anon to anon, which will cover all cipher
> suites using anonymous authentication.
> 
> 3. Changed RC4_128, RC4_40 to RC4, which will cover all cipher suites
> using RC4 for encryption.
> 
> 4. Changed DES_CBC, DES40_CBC to DES, which will cover all cipher suites
> using DES for encryption.
> 
> I also added a new regression test.
> 
> CSR: https://bugs.openjdk.java.net/browse/JDK-8239377
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8238560/webrev.00/
> 
> Thanks,
> Sean


More information about the security-dev mailing list