RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite [v3]
Artur Barashev
abarashev at openjdk.org
Mon Oct 28 22:36:15 UTC 2024
> The current syntax of the jdk.tls.disabledAlgorithms makes it difficult to disable algorithms that affect both the key exchange and authentication parts of a TLS cipher suite. For example, if you add "RSA" to the jdk.tls.disabledAlgorithms security property, it disables all cipher suites that use RSA, whether it is for key exchange or authentication. If you only want to disable cipher suites that use RSA for key exchange, the only workaround is to list the whole cipher suite name, so an exact match is done, but if there are many cipher suites that use that key exchange algorithm, this becomes cumbersome.
>
> We should extend the syntax of the property to be able to distinguish between different cryptographic primitives used in the cipher suite. I think adding a new constraint something like:
>
> TLSCipherConstraint: kx | authn
>
> So when disabling TLS_RSA suites, you would add "RSA kx" to the property.
Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
- Key Exchange and Authentication algorithms undefined in TLSv1.3 cipher suites
- Adjust line length
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/21577/files
- new: https://git.openjdk.org/jdk/pull/21577/files/fd3ae924..ecf44e38
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=21577&range=02
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=21577&range=01-02
Stats: 91 lines in 3 files changed: 4 ins; 78 del; 9 mod
Patch: https://git.openjdk.org/jdk/pull/21577.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/21577/head:pull/21577
PR: https://git.openjdk.org/jdk/pull/21577
More information about the security-dev
mailing list