RFR: 8245545: Disable TLS_RSA cipher suites [v8]

Artur Barashev abarashev at openjdk.org
Wed Nov 20 20:34:53 UTC 2024 

> These cipher suites do not preserve forward-secrecy and are not commonly used. Other TLS implementations (ex: Rustls) do not support or enable these suites by default. RFC 9325 [1] states that these suites should not be used. The IETF Draft "Deprecating Obsolete Key Exchange Methods in TLS" [2] mandates that these suites not be used.
> 
> Some TLS_RSA_* cipher suites are already disabled because they use DES, 3DES, RC4, or NULL, which are disabled. This action will disable all remaining TLS_RSA cipher suites.
> 
> [1] RFC 9325, Recommendations for Secure Use of TLS and DTLS (https://www.rfc-editor.org/rfc/rfc9325.html#section-4.1-2.5.1): "Implementations SHOULD NOT negotiate cipher suites based on RSA key transport, a.k.a. "static RSA". Rationale: These cipher suites, which have assigned values starting with the string "TLS_RSA_WITH_*", have several drawbacks, especially the fact that they do not support forward secrecy."
> [2] IETF Draft, Deprecating Obsolete Key Exchange Methods in TLS (https://www.ietf.org/archive/id/draft-ietf-tls-deprecate-obsolete-kex-05.html#section-4): "Clients MUST NOT offer and servers MUST NOT select RSA cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996], and TLS 1.3 does not support static RSA [RFC8446].)"

Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:

  Update DisabledAlgorithms test with the list of disabled cipher suites.

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/22163/files
  - new: https://git.openjdk.org/jdk/pull/22163/files/96e99932..13d59e59

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=22163&range=07
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=22163&range=06-07

  Stats: 8 lines in 1 file changed: 6 ins; 0 del; 2 mod
  Patch: https://git.openjdk.org/jdk/pull/22163.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/22163/head:pull/22163

PR: https://git.openjdk.org/jdk/pull/22163

More information about the security-dev mailing list