[15] RFR: 8238560: Cleanup and consolidate algorithms in the jdk.tls.legacyAlgorithms security property
Sean Mullan
sean.mullan at oracle.com
Thu Feb 20 20:59:56 UTC 2020
Hi Bernd,
On 2/20/20 12:48 PM, Bernd Eckenfels wrote:
> Hello Sean,
>
> Are the separate entries for 3DES and DES needed or can they also be
> collapsed?
DES will not match 3DES if that's what you mean, so yes the separate
entries are needed.
> BTW i am always unsre about the interactions of setting the Protocol and
> the enabled ciphers so I am in the habit to set the protocols before
> using getEnabled or setting enabled ciphers. I guess it makes no
> difference but for that reason I would move line 76 before 73 in the test.
I don't think it matters, but I switched it in any case.
Also, your comment made me realize I missed testing a 3DES suite, so I
added "TLS_RSA_WITH_3DES_EDE_CBC_SHA" to the list of LEGACY_SUITES in
the test. It's a minor change, so I'm not posting another webrev.
--Sean
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ------------------------------------------------------------------------
> *Von:* security-dev <security-dev-bounces at openjdk.java.net> im Auftrag
> von Sean Mullan <sean.mullan at oracle.com>
> *Gesendet:* Thursday, February 20, 2020 2:01:59 PM
> *An:* security Dev OpenJDK <security-dev at openjdk.java.net>
> *Betreff:* [15] RFR: 8238560: Cleanup and consolidate algorithms in the
> jdk.tls.legacyAlgorithms security property
> Please review this change to cleanup and consolidate the default value
> of the jdk.tls.legacyAlgorithms security property. The following changes
> have been made:
>
> 1. Changed K_NULL, C_NULL, M_NULL to NULL, which will cover all null
> cipher suites. The *_NULL algorithms were implementation details and not
> compliant with the specification of the property.
>
> 2. Changed DH_anon, ECDH_anon to anon, which will cover all cipher
> suites using anonymous authentication.
>
> 3. Changed RC4_128, RC4_40 to RC4, which will cover all cipher suites
> using RC4 for encryption.
>
> 4. Changed DES_CBC, DES40_CBC to DES, which will cover all cipher suites
> using DES for encryption.
>
> I also added a new regression test.
>
> CSR: https://bugs.openjdk.java.net/browse/JDK-8239377
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8238560/webrev.00/
>
> Thanks,
> Sean
More information about the security-dev
mailing list