<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi security experts,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">one of our customers is running into an issue with a Tomcat application after JDK-8211883 [1]. It seems that because of adding NULL to jdk.tls.disabledAlgorithms, the pseudo cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV
is disabled. Seems like, according to CipherSuite.java [2], it is considered a NULL cipher. The tracing/reproducer shows that it’s definitely disabled via jdk.tls.disabledAlgorithms=NULL.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">However, with my limited knowledge of TLS and ciphersuites and googling around, I understand that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is part of the RFC 5746 specification [3], which is still considered secure and state
of the art for renegotiation. Is that correct?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The effect now in the customer application is that the client sends the SCSV and the Tomcat SSL Engine checks for the presence of the SCSV cipher in the cipher suites [4]. Since it is not present, the handshake is stopped
by removing all ciphers [5].<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I also understand the Oracle readme about the renegotiation topic, that
</span><span lang="EN-US" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black;background:white">TLS_EMPTY_RENEGOTIATION_INFO_SCSV is a thing to have but not to disable.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Please let me know, if you agree with my analysis. If so, could you please file a bug or tell me to do so? Otherwise let me know what I’m missing. The workaround for the customer is to remove the NULL entry from jdk.tls.disabledAlgorithms
for the time being. I guess that’s a bit more secure than setting “sun.security.ssl.allowUnsafeRenegotiation”
</span><span lang="EN-US" style="font-family:"Segoe UI Emoji",sans-serif">😉</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Christoph<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">[1] <a href="https://bugs.openjdk.java.net/browse/JDK-8211883">
https://bugs.openjdk.java.net/browse/JDK-8211883</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">[2] <a href="http://hg.openjdk.java.net/jdk/jdk/file/1ae823617395/src/java.base/share/classes/sun/security/ssl/CipherSuite.java#l312">
http://hg.openjdk.java.net/jdk/jdk/file/1ae823617395/src/java.base/share/classes/sun/security/ssl/CipherSuite.java#l312</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">[3] <a href="http://www.ietf.org/rfc/rfc5746.txt">
http://www.ietf.org/rfc/rfc5746.txt</a> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">[4] <a href="https://github.com/apache/tomcat70/blob/600d5c81aafee7e95fe07c3b9182f37741e2d0d8/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L145">
https://github.com/apache/tomcat70/blob/600d5c81aafee7e95fe07c3b9182f37741e2d0d8/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L145</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">[5] <a href="https://github.com/apache/tomcat70/blob/600d5c81aafee7e95fe07c3b9182f37741e2d0d8/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L293">
https://github.com/apache/tomcat70/blob/600d5c81aafee7e95fe07c3b9182f37741e2d0d8/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L293</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">[6] <a href="https://www.oracle.com/technetwork/java/javase/overview/tlsreadme2-176330.html">
https://www.oracle.com/technetwork/java/javase/overview/tlsreadme2-176330.html</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</body>
</html>