-
Bug
-
Resolution: Fixed
-
P2
-
7u211, 8u201, 11.0.2, 11.0.3, 12
-
b06
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8218373 | 12.0.2 | Sean Mullan | P2 | Resolved | Fixed | b01 |
JDK-8218325 | 12.0.1 | Sean Mullan | P2 | Resolved | Fixed | b06 |
JDK-8218072 | 12 | Sean Mullan | P2 | Resolved | Fixed | b30 |
JDK-8218073 | 11.0.4-oracle | Sean Coffey | P2 | Closed | Fixed | b01 |
JDK-8218390 | 11.0.3-oracle | Sean Coffey | P2 | Closed | Fixed | b06 |
JDK-8218191 | 11.0.3 | Sean Mullan | P2 | Closed | Fixed | master |
JDK-8219594 | openjdk8u212 | Paul Hohensee | P2 | Resolved | Fixed | b01 |
JDK-8243744 | 8u261 | Prasadarao Koppula | P2 | Resolved | Fixed | b05 |
JDK-8218257 | 8u222 | Sean Coffey | P2 | Resolved | Fixed | master |
JDK-8218075 | 8u221 | Sean Coffey | P2 | Resolved | Fixed | b01 |
JDK-8218437 | 8u212 | Sean Coffey | P2 | Resolved | Fixed | b05 |
JDK-8218430 | 8u211 | Sean Coffey | P2 | Closed | Fixed | b05 |
JDK-8247082 | emb-8u261 | Prasadarao Koppula | P2 | Resolved | Fixed | team |
JDK-8224354 | emb-8u221 | Sean Coffey | P2 | Resolved | Fixed | master |
JDK-8221038 | emb-8u211 | Sean Coffey | P2 | Resolved | Fixed | b05 |
JDK-8218137 | 7u231 | Sean Coffey | P2 | Resolved | Fixed | b01 |
JDK-8218433 | 7u221 | Sean Coffey | P2 | Closed | Fixed | b04 |
JDK-8222655 | openjdk7u | Andrew Hughes | P2 | Resolved | Fixed | master |
It appears, "8211883: Disable anon and NULL cipher suites" is the reason TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone now.
It looks like some of our Tomcat users are running into this issue because
TLS_EMPTY_RENEGOTIATION_INFO_SCSV plays some role there .
Full JDK Versions
-----------------
JDK 7u211 and later, 8u201 and later, 11.0.2 and later
Testcase & Reproduction Instructions
------------------------------------
import java.util.*;
import javax.net.ssl.SSLServerSocketFactory;
public class Ciphers
{
public static void main(String[] args)
throws Exception
{
SSLServerSocketFactory ssf =
SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
String[] defaultCiphers = ssf.getDefaultCipherSuites();
String[] availableCiphers = ssf.getSupportedCipherSuites();
System.out.println("default ciphers:");
System.out.println("------------------------------");
for (String s: defaultCiphers) {
System.out.println(s);
}
System.out.println("available ciphers:");
System.out.println("------------------------------");
for (String s: availableCiphers) {
System.out.println("available:" + s);
}
}
}
Workaround
----------
Remove NULL from jdk.tls.disabledAlgorithm
Related Bugs, Forum Threads
---------------------------
https://mail.openjdk.java.net/pipermail/security-dev/2019-January/019237.html
- backported by
-
JDK-8218072 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8218075 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8218137 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8218257 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8218325 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8218373 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8218437 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8219594 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8221038 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8222655 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8224354 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8243744 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8247082 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Resolved
-
-
JDK-8218073 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Closed
-
-
JDK-8218191 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Closed
-
-
JDK-8218390 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Closed
-
-
JDK-8218430 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Closed
-
-
JDK-8218433 TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
-
- Closed
-
- duplicates
-
JDK-8207784 CheckCipherSuites.java test is ignored
-
- Closed
-
- relates to
-
JDK-8211883 Disable anon and NULL cipher suites
-
- Resolved
-