-
Enhancement
-
Resolution: Fixed
-
P4
-
None
-
b120
Q:
In the java.security file RC4 is listed in the jdk.tls.disabledAlgorithms property. But it is also listed in jdk.tls.legacyAlgorithms (RC4_128, RC4_40). If it is completely disabled, shouldn't we remove it from jdk.tls.legacyAlgorithms?
A:
If customers remove an algorithm from the jdk.tls.disabledAlgorithms, he may not remember to update the legacyAlgorithms too. Removing RC4 or keeping RC4 in legacy list both have good side and bad side.
Solution:
Add a note in the java.security file that says algorithms in "jdk.tls.disabledAlgorithms" always override algorithms of the same name in "jdk.tls.legacyAlgorithms".
In the java.security file RC4 is listed in the jdk.tls.disabledAlgorithms property. But it is also listed in jdk.tls.legacyAlgorithms (RC4_128, RC4_40). If it is completely disabled, shouldn't we remove it from jdk.tls.legacyAlgorithms?
A:
If customers remove an algorithm from the jdk.tls.disabledAlgorithms, he may not remember to update the legacyAlgorithms too. Removing RC4 or keeping RC4 in legacy list both have good side and bad side.
Solution:
Add a note in the java.security file that says algorithms in "jdk.tls.disabledAlgorithms" always override algorithms of the same name in "jdk.tls.legacyAlgorithms".