-
Enhancement
-
Resolution: Fixed
-
P3
-
None
-
b26
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8356230 | 17.0.18-oracle | Konanki Sreenath | P3 | Open | Unresolved | |
JDK-8356231 | 11.0.30-oracle | Konanki Sreenath | P3 | Open | Unresolved | |
JDK-8356232 | 8u481 | Konanki Sreenath | P3 | Open | Unresolved |
Some TLS_RSA_* cipher suites are already disabled because they use DES, 3DES, RC4, or NULL, which are disabled. This action will disable all remaining TLS_RSA cipher suites.
[1] RFC 9325, Recommendations for Secure Use of TLS and DTLS (https://www.rfc-editor.org/rfc/rfc9325.html#section-4.1-2.5.1): "Implementations SHOULD NOT negotiate cipher suites based on RSA key transport, a.k.a. "static RSA". Rationale: These cipher suites, which have assigned values starting with the string "TLS_RSA_WITH_*", have several drawbacks, especially the fact that they do not support forward secrecy."
[2] IETF Draft, Deprecating Obsolete Key Exchange Methods in TLS (https://www.ietf.org/archive/id/draft-ietf-tls-deprecate-obsolete-kex-05.html#section-4): "Clients MUST NOT offer and servers MUST NOT select RSA cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996], and TLS 1.3 does not support static RSA [RFC8446].)"
- backported by
-
JDK-8356230 Disable TLS_RSA cipher suites
-
- Open
-
-
JDK-8356231 Disable TLS_RSA cipher suites
-
- Open
-
-
JDK-8356232 Disable TLS_RSA cipher suites
-
- Open
-
- csr for
-
JDK-8344257 Disable TLS_RSA cipher suites
-
- Closed
-
- is blocked by
-
JDK-8341964 Add mechanism to disable different parts of TLS cipher suite
-
- Resolved
-
- relates to
-
JDK-8163326 Update the default enabled cipher suites preference
-
- Resolved
-
-
JDK-8341964 Add mechanism to disable different parts of TLS cipher suite
-
- Resolved
-
- links to
-
Commit(master) openjdk/jdk/882d6358
-
Review(master) openjdk/jdk/22163