Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8223482

Unsupported ciphersuites may be offered by a TLS client

    XMLWordPrintable

Details

    • 11
    • b23
    • generic
    • generic

    Backports

      Description

        A TLS client may offer ciphersuites that it does not support to a TLS server. This happens when SunJCE security provider is disabled. Once possible reason for disabling SunJCE is enabling FIPS mode.

        There is an explicit assumption that SunJCE will always be available, when deciding if a ciphersuite is enabled: http://hg.openjdk.java.net/jdk/jdk/file/4f2fd02922b1/src/java.base/share/classes/sun/security/ssl/SSLCipher.java#l492

        In the context of fixing this bug, we should review that assumption and check whether or not the ciphersuite should be offered in run time.

        To reproduce this bug, we can apply the attached patch to FipsModeTLS12 test. The TLS client will offer TLS_RSA_WITH_AES_128_GCM_SHA256 ciphersuite while AES/GCM/NoPadding transformation is not available in SunPKCS11 provider. Verified in JDK revision df2b3565f343.

        Attachments

          Issue Links

            Activity

              People

                mbalao Martin Balao Alonso
                mbalao Martin Balao Alonso
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: