RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite [v3]
Sean Mullan
mullan at openjdk.org
Tue Nov 5 21:40:31 UTC 2024
On Tue, 5 Nov 2024 17:40:46 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> The current syntax of the jdk.tls.disabledAlgorithms makes it difficult to disable algorithms that affect both the key exchange and authentication parts of a TLS cipher suite. For example, if you add "RSA" to the jdk.tls.disabledAlgorithms security property, it disables all cipher suites that use RSA, whether it is for key exchange or authentication. If you only want to disable cipher suites that use RSA for key exchange, the only workaround is to list the whole cipher suite name, so an exact match is done, but if there are many cipher suites that use that key exchange algorithm, this becomes cumbersome.
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> "Cipher suites must start with TLS_" doc update
Changes requested by mullan (Reviewer).
src/java.base/share/conf/security/java.security line 779:
> 777: # See the specification of "jdk.certpath.disabledAlgorithms" for the
> 778: # syntax of the disabled algorithm string. Additionally, TLS cipher suites
> 779: # can be disabled here using "*" wildcard syntax. For example "TLS_RSA_*"
Suggest not using "here" and instead say "with this property", ex: "... can be disabled with this property using ..."
src/java.base/share/conf/security/java.security line 780:
> 778: # syntax of the disabled algorithm string. Additionally, TLS cipher suites
> 779: # can be disabled here using "*" wildcard syntax. For example "TLS_RSA_*"
> 780: # disables all cipher suites that start with "TLS_RSA_". Only the algorithms
s/the algorithms/cipher suites/
s/have/have a/
Can you only have one wildcard and must it have nothing after it? If so, we should also state those constraints.
-------------
PR Review: https://git.openjdk.org/jdk/pull/21841#pullrequestreview-2416743130
PR Review Comment: https://git.openjdk.org/jdk/pull/21841#discussion_r1830031486
PR Review Comment: https://git.openjdk.org/jdk/pull/21841#discussion_r1830033235
More information about the security-dev
mailing list