RFR: 8163327: Remove 3DES from the default enabled cipher suites list

Sean Mullan mullan at openjdk.java.net
Tue Mar 22 12:31:35 UTC 2022


On Tue, 22 Mar 2022 06:15:07 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> This fix removes obsolete and deprecated 3DES cipher suites from the default enabled cipher suites list of the SunJSSE provider implementation. 
>> 
>> Note that 3DES suites are already disabled by default via the `jdk.tls.disabledAlgorithms` security property.  This change goes one step further and provides an extra level of defense by making them unavailable by default.  See the CSR for more details: https://bugs.openjdk.java.net/browse/JDK-8283450
>
> src/java.base/share/classes/sun/security/ssl/CipherSuite.java line 425:
> 
>> 423:             ProtocolVersion.PROTOCOLS_TO_12,
>> 424:             K_RSA, B_3DES, M_SHA, H_SHA256),
>> 425: 
> 
> It is good to have the supported cipher suites ordered.  So it may be nice to have this block between line 348 and 349.

Can you be more specific? I'm not following where you think they should be ordered. Are you suggesting they should be ordered before the anon suites even though most of them use stronger algorithms? Also, does the order matter if the application is going to be setting them via APIs? For example, if an application calls `SSLSocket.setEnabledCipherSuites(new String[] { "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" })` is the order specified respected? Or does the provider re-order it according to this file?

-------------

PR: https://git.openjdk.java.net/jdk/pull/7894



More information about the security-dev mailing list