RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite
Artur Barashev
abarashev at openjdk.org
Tue Nov 5 14:03:09 UTC 2024
The current syntax of the jdk.tls.disabledAlgorithms makes it difficult to disable algorithms that affect both the key exchange and authentication parts of a TLS cipher suite. For example, if you add "RSA" to the jdk.tls.disabledAlgorithms security property, it disables all cipher suites that use RSA, whether it is for key exchange or authentication. If you only want to disable cipher suites that use RSA for key exchange, the only workaround is to list the whole cipher suite name, so an exact match is done, but if there are many cipher suites that use that key exchange algorithm, this becomes cumbersome.
-------------
Commit messages:
- Update the doc
- DisabledAlgorithmConstraints already caches the results of checkAlgorithm call
- Add cache of the wildcard matching results
- Make matching case-insensitive. Compact the code.
- 8341964: Add mechanism to disable different parts of TLS cipher suite
- Naming update. Adjust line length.
- - Key Exchange and Authentication algorithms undefined in TLSv1.3 cipher suites
- Do exact match on jdk.tls.disabledAlgorithms property
- Merge branch 'master' into JDK-8341964
- Remove duplicate description from docs
- ... and 10 more: https://git.openjdk.org/jdk/compare/a9eb50a2...836b76f4
Changes: https://git.openjdk.org/jdk/pull/21841/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=21841&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8341964
Stats: 216 lines in 5 files changed: 186 ins; 2 del; 28 mod
Patch: https://git.openjdk.org/jdk/pull/21841.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/21841/head:pull/21841
PR: https://git.openjdk.org/jdk/pull/21841
More information about the security-dev
mailing list