Loading...

Type: CSR
Resolution: Approved
Priority: P3
Fix Version/s: 7-pool
Component/s: security-libs
Labels:
None

Subcomponent:
javax.net.ssl
Compatibility Kind:

behavioral
Compatibility Risk:
minimal
Compatibility Risk Description:

Hide
The impact should be minimal as only the default enabled cipher suites preference order is changed. Preference of DHE_RSA over RSA could increase group/size related interoperability problems. However it is expected that this is mitigated by the fact that existing implementations have been confronted with bigger DHE keys for some time now. Besides many existing servers prefer ECDHE or would have picked DHE over RSA anyway.

Show
The impact should be minimal as only the default enabled cipher suites preference order is changed. Preference of DHE_RSA over RSA could increase group/size related interoperability problems. However it is expected that this is mitigated by the fact that existing implementations have been confronted with bigger DHE keys for some time now. Besides many existing servers prefer ECDHE or would have picked DHE over RSA anyway.
Interface Kind:

Other
Scope:
JDK

Summary

Propose to update the default enabled cipher suites preference in the SunJSSE provider for the Oracle JDK 7u. This is a partial backport of enhancement already done in JDK 13.

For Oracle JDK 7u, CBC suites will continue to be preferred over the GCM suites.

Problem

Forward secrecy is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised. Forward secrecy protects past sessions against future compromises of secret keys or passwords.

In the current SunJSSE provider, the forward secrecy feature was considered, but with a lower priority. For example, JDK prefers the better performance of key exchange and digital signature algorithm, in the order of

ECDHE-ECDSA, ECDHE-RSA, RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS.

While if forward secrecy is preferable first, the order should be

ECDHE-ECDSA, ECDHE-RSA, DHE-RSA, DHE-DSS, ECDH-ECDSA, ECDH-RSA, RSA.

Meanwhile, the RSA key exchange algorithms and SHA-1 based HMAC algorithms have been deprecated in TLS 1.3. Even for TLS 1.2 and prior versions, the priority of them should be decreased for safety as well.

Solution

By updating the preference order of the default enabled cipher suites, change to prefer forward secrecy in the SunJSSE provider. The scope of this work is similar to that done for JDK 13.

The following factors are considered:

Increase the priority of forward secrecy cipher suites.
Increase the priority of ECDHE cipher suites.
Decrease the priority of cipher suites that use SHA-1 hash algorithm.
Decrease the priority of RSA key exchange based cipher suites.

A release note will accompany the JDK releases highlighting the cipher suite preference changes.

Specification

With this update, the order of cipher suites preference in the SunJSSE provider is changed as:

    // Suite B compliant cipher suites
    // AES_256(CBC) - ECDHE - forward secrecy
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    // AES_256(CBC) - ECDHE - forward secrecy
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    // AES_256(CBC) - DHE - forward secrecy
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
    // AES_128(CBC) - DHE - forward secrecy
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
    //  AES_256(GCM) - ECDHE_ECDSA - forward secrecy
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    // AES_256(GCM) - ECDHE - forward secrecy
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    // AES_128(GCM) - ECDHE - forward secrecy
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    // AES_256(GCM) - DHE - forward secrecy
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
    // AES_128(GCM) - DHE - forward secrecy
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
    // AES_256(CBC) - not forward secrecy
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
    // AES_128(CBC) - not forward secrecy
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
    // AES_256(GCM) - not forward secrecy
    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
    // AES_128(CBC) - not forward secrecy
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
    // AES_256(GCM) - not forward secrecy
    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
    // AES_128(GCM) - not forward secrecy
    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
    // AES_256(CBC) - ECDHE - using SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    // AES_128(CBC) - ECDHE - using SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    // AES_256(CBC) - DHE - using SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
    // AES_128(CBC) - DHE - using SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
    // AES_256(CBC) - using SHA, not forward secrecy
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
    // AES_128(CBC) - using SHA, not forward secrecy
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,

    // deprecated
    TLS_RSA_WITH_AES_256_GCM_SHA384,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_GCM_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV

csr of

JDK-8264390 Update the default enabled cipher suites preference

Resolved

Details

Description

Summary

Problem

Solution

Specification

Attachments

Issue Links

Activity

People

Dates