RFR: 8163327: Remove 3DES from the default enabled cipher suites list

Sean Mullan mullan at openjdk.java.net
Tue Mar 22 19:21:36 UTC 2022


On Tue, 22 Mar 2022 14:42:53 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> Can you be more specific? I'm not following where you think they should be ordered. Are you suggesting they should be ordered before the anon suites even though most of them use stronger algorithms? Also, does the order matter if the application is going to be setting them via APIs? For example, if an application calls `SSLSocket.setEnabledCipherSuites(new String[] { "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" })` is the order specified respected? Or does the provider re-order it according to this file?
>
> In some situation, applications may set the supported cipher suites as the enabled cipher suites.  Therefore, the supported cipher suites are also ordered in the current implementation, even though not strictly.  Although 3DES suites are pretty weak, but they might be better than anon suites in practice, I think.

I see. That makes sense. However, I will note that the current order does not reflect the preference rules defined in lines 336-348 (copied below):


    // Definition of the CipherSuites that are supported but not enabled
    // by default.
    // They are listed in preference order, preferred first, using the
    // following criteria:
    // 1. If a cipher suite has been obsoleted, we put it at the end of
    //    the list.
    // 2. Prefer the stronger bulk cipher, in the order of AES_256,
    //    AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL.
    // 3. Prefer the stronger MAC algorithm, in the order of SHA384,
    //    SHA256, SHA, MD5.
    // 4. Prefer the better performance of key exchange and digital
    //    signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA,
    //    RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous.

In particular, some of the RC4 suites support forward secrecy but are ordered after the anon suites. The rules above say nothing about anon suites. They seem to be ordered as higher priority than others mainly because they use stronger ciphers. But 3DES and RC4 are obsolete suites, so maybe it is correct that they should be where they are.

Thus, it isn't clear to me if the current order does or does not accurately reflect these rules. I put the 3DES suites where they were because to me they are probably/maybe stronger than the RC4 suites, but do not use strong ciphers that the anon suites do, and are obsolete. So we either need to clarify the rules and put anon suites lower, and change the obsolete rule. Otherwise, I'm reluctant to make a change that seems inconsistent with the rules.

Having said all that, I also don't want to over-rotate on this and try to decide what suite is more weaker than others, since you really shouldn't be using any of them.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7894



More information about the security-dev mailing list