Loading...

XML

Word

Printable

Type: Enhancement
Resolution: Fixed
Priority: P3
Fix Version/s: 12
Affects Version/s: None
Component/s: security-libs
Labels:

Subcomponent:
javax.net.ssl
Resolved In Build:
b18

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8215173	11.0.3-oracle	Sean Mullan	P3	Resolved	Fixed	master
JDK-8213089	11.0.3	Prasadarao Koppula	P3	Resolved	Fixed	master
JDK-8213816	11.0.2	Sean Mullan	P3	Resolved	Fixed	b04
JDK-8218531	openjdk8u212	Prasadarao Koppula	P3	Resolved	Fixed	b01
JDK-8215850	8u212	Prasadarao Koppula	P3	Resolved	Fixed	b01
JDK-8213336	8u211	Prasadarao Koppula	P3	Resolved	Fixed	b01
JDK-8213805	8u202	Prasadarao Koppula	P3	Resolved	Fixed	b05
JDK-8213090	8u201	Prasadarao Koppula	P3	Resolved	Fixed	b04
JDK-8220969	emb-8u211	Prasadarao Koppula	P3	Resolved	Fixed	master
JDK-8216913	emb-8u201	Prasadarao Koppula	P3	Resolved	Fixed	b04
JDK-8213380	7u221	Prasadarao Koppula	P3	Resolved	Fixed	b01
JDK-8213091	7u211	Prasadarao Koppula	P3	Resolved	Fixed	b04
JDK-8219305	openjdk7u	Prasadarao Koppula	P3	Resolved	Fixed	master

The TLS anon (anonymous) and NULL cipher suites are used rarely and have security weaknesses. Anonymous suites are vulnerable to man-in-the-middle attacks. NULL suites do not provide confidentiality. RFC 7525 (Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)" says: "Implementations MUST NOT negotiate the cipher suites with NULL encryption." TLS 1.3 has removed them.

These suites are not enabled by default (i.e. they are not on the internal hardcoded list of ciphersuites that are available for TLS handshake), so an application has to explicitly enable them using an API or the "jdk.tls.client.cipherSuites" or "jdk.tls.server.cipherSuites" system properties. However, adding them to the "jdk.tls.disabledAlgorithms" security property adds an extra layer of protection should they be used accidentally or maliciously. This change is also consistent with prior crypto roadmap changes that have disabled insecure cipher suites.

backported by

JDK-8213089 Disable anon and NULL cipher suites

Resolved

JDK-8213090 Disable anon and NULL cipher suites

Resolved

JDK-8213091 Disable anon and NULL cipher suites

Resolved

JDK-8213336 Disable anon and NULL cipher suites

Resolved

JDK-8213380 Disable anon and NULL cipher suites

Resolved

JDK-8213805 Disable anon and NULL cipher suites

Resolved

JDK-8213816 Disable anon and NULL cipher suites

Resolved

JDK-8215173 Disable anon and NULL cipher suites

Resolved

JDK-8215850 Disable anon and NULL cipher suites

Resolved

JDK-8216913 Disable anon and NULL cipher suites

Resolved

JDK-8218531 Disable anon and NULL cipher suites

Resolved

JDK-8219305 Disable anon and NULL cipher suites

Resolved

JDK-8220969 Disable anon and NULL cipher suites

Resolved

csr for

JDK-8212823 Disable anon and NULL cipher suites

Closed

relates to

JDK-8217579 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883

Closed

JDK-8157035 Use stronger algorithms and keys for JSSE testing

Closed

(8 backported by, 1 csr for, 2 relates to)

Release Note: Disabled TLS anon and NULL Cipher Suites

Closed

Sean Mullan

Assignee:: Sean Mullan

Reporter:: Sean Mullan

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2018-10-08 14:16

Updated:: 2019-09-23 17:06

Resolved:: 2018-10-25 10:56

Details

Backports

Description

Attachments

Issue Links

Sub-Tasks

Activity

People

Dates