Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8223482

Unsupported ciphersuites may be offered by a TLS client

XMLWordPrintable

    • 11
    • b23
    • generic
    • generic

        A TLS client may offer ciphersuites that it does not support to a TLS server. This happens when SunJCE security provider is disabled. Once possible reason for disabling SunJCE is enabling FIPS mode.

        There is an explicit assumption that SunJCE will always be available, when deciding if a ciphersuite is enabled: http://hg.openjdk.java.net/jdk/jdk/file/4f2fd02922b1/src/java.base/share/classes/sun/security/ssl/SSLCipher.java#l492

        In the context of fixing this bug, we should review that assumption and check whether or not the ciphersuite should be offered in run time.

        To reproduce this bug, we can apply the attached patch to FipsModeTLS12 test. The TLS client will offer TLS_RSA_WITH_AES_128_GCM_SHA256 ciphersuite while AES/GCM/NoPadding transformation is not available in SunPKCS11 provider. Verified in JDK revision df2b3565f343.

              mbalao Martin Balao Alonso
              mbalao Martin Balao Alonso
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: