Uploaded image for project: 'CCC Migration Project'
  1. CCC Migration Project
  2. CCC-8176745

Drop SSLContext TLSv1 cipher suite requirements

    XMLWordPrintable

Details

    • minimal
    • Other
    • SE

    Description

      Summary

      Drop SSLContext TLSv1 cipher suite requirements from Security Algorithm Implementation Requirements for Java SE.

      Problem

      The current Security Algorithm Implementation Requirements for Java SE (see http://download.java.net/java/jdk9/docs/technotes/guides/security/StandardNames.html#impl) requires implementations to support a "TLSv1" SSLContext with the following additional footnote:

      "A TLSv1 implementation must support the cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA as defined in RFC 2246 and the special signaling cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV for safe renegotiation as defined in RFC 5746."

      This additional requirement listed in the footnote has turned out to be problematic as 3DES is now weak and considered a security risk. Mandating cipher suite requirements is not a good idea as algorithms weaken over time. Requiring specific cipher suites also makes it more difficult to pass the JCK (additional configuration is necessary) when these algorithms are disabled by default.

      Solution

      Remove the following footnote from http://download.java.net/java/jdk9/docs/technotes/guides/security/StandardNames.html#impl:

      "A TLSv1 implementation must support the cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA as defined in RFC 2246 and the special signaling cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV for safe renegotiation as defined in RFC 5746."

      Specification

      Remove the following footnote from http://download.java.net/java/jdk9/docs/technotes/guides/security/StandardNames.html#impl:

      A TLSv1 implementation must support the cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA as defined in RFC 2246 and the special signaling cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV for safe renegotiation as defined in RFC 5746.

      Attachments

        Issue Links

          Activity

            People

              mullan Sean Mullan
              mullan Sean Mullan
              Xuelei Fan
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: