Summary

Cleanup and consolidate algorithms set by default in the jdk.tls.legacyAlgorithms security property.

Problem

The default value of the jdk.tls.legacyAlgorithms security property contains several algorithms that are implementation specific and not compliant with the specification of the property: K_NULL, C_NULL, M_NULL. These can be replaced with a single NULL algorithm. Also, several other algorithms can be combined and consolidated using more general names.

Solution

Make the following changes to the jdk.tls.legacyAlgorithms property in the system-wide java.security file:

1. Change K_NULL, C_NULL, M_NULL to NULL, which will cover all null cipher suites.
2. Change DH_anon, ECDH_anon to anon, which will cover all cipher suites using anonymous authentication.
3. Change RC4_128, RC4_40 to RC4, which will cover all cipher suites using RC4 for encryption.
4. Change DES_CBC, DES40_CBC to DES, which will cover all cipher suites using DES for encryption.

Specification

diff -r 370f25f90d1f src/java.base/share/conf/security/java.security
--- a/src/java.base/share/conf/security/java.security   Wed Feb 12 09:38:59 2020 -0500
+++ b/src/java.base/share/conf/security/java.security   Wed Feb 19 11:13:50 2020 -0500
@@ -793,11 +793,7 @@
 # Example:
 #   jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
 #
-jdk.tls.legacyAlgorithms= \
-        K_NULL, C_NULL, M_NULL, \
-        DH_anon, ECDH_anon, \
-        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
-        3DES_EDE_CBC
+jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC