RFR: 8163327: Remove 3DES from the default enabled cipher suites list
Xue-Lei Andrew Fan
xuelei at openjdk.java.net
Tue Mar 22 14:46:32 UTC 2022
On Tue, 22 Mar 2022 12:28:14 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/CipherSuite.java line 425:
>>
>>> 423: ProtocolVersion.PROTOCOLS_TO_12,
>>> 424: K_RSA, B_3DES, M_SHA, H_SHA256),
>>> 425:
>>
>> It is good to have the supported cipher suites ordered. So it may be nice to have this block between line 348 and 349.
>
> Can you be more specific? I'm not following where you think they should be ordered. Are you suggesting they should be ordered before the anon suites even though most of them use stronger algorithms? Also, does the order matter if the application is going to be setting them via APIs? For example, if an application calls `SSLSocket.setEnabledCipherSuites(new String[] { "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" })` is the order specified respected? Or does the provider re-order it according to this file?
In some situation, applications may set the supported cipher suites as the enabled cipher suites. Therefore, the supported cipher suites are also ordered in the current implementation, even though not strictly. Although 3DES suites are pretty weak, but they m be better than anon suites in practice, I think.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7894
More information about the security-dev
mailing list