Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8266562

Update the default enabled cipher suites preference

XMLWordPrintable

    • behavioral
    • minimal
    • Hide
      The impact should be minimal as only the default enabled cipher suites preference order is changed. Preference of DHE_RSA over RSA could increase group/size related interoperability problems. However it is expected that this is mitigated by the fact that existing implementations have been confronted with bigger DHE keys for some time now. Besides many existing servers prefer ECDHE or would have picked DHE over RSA anyway.
      Show
      The impact should be minimal as only the default enabled cipher suites preference order is changed. Preference of DHE_RSA over RSA could increase group/size related interoperability problems. However it is expected that this is mitigated by the fact that existing implementations have been confronted with bigger DHE keys for some time now. Besides many existing servers prefer ECDHE or would have picked DHE over RSA anyway.
    • Other
    • JDK

      Summary

      Propose to update the default enabled cipher suites preference in the SunJSSE provider for the Oracle JDK 8u and JDK 11u releases. This is a backport of enhancement already done in JDK 13.

      JDK 11u and 8u releases will be very similar in preference order to the work done in JDK 13.

      For JDK 7u, CBC suites will continue to be preferred over the GCM suites. The JDK 7u changes will be logged in a separate CSR.

      Problem

      Forward secrecy is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised. Forward secrecy protects past sessions against future compromises of secret keys or passwords.

      In the current SunJSSE provider, the forward secrecy feature was considered, but with a lower priority. For example, JDK prefers the better performance of key exchange and digital signature algorithm, in the order of

      ECDHE-ECDSA, ECDHE-RSA, RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS.

      While if forward secrecy is preferable first, the order should be

      ECDHE-ECDSA, ECDHE-RSA, DHE-RSA, DHE-DSS, ECDH-ECDSA, ECDH-RSA, RSA.

      Meanwhile, the RSA key exchange algorithms and SHA-1 based HMAC algorithms have been deprecated in TLS 1.3. Even for TLS 1.2 and prior versions, the priority of them should be decreased for safety as well.

      Solution

      By updating the preference order of the default enabled cipher suites, change to prefer forward secrecy in the SunJSSE provider. The scope of this work is similar to that done for JDK 13.

      The following factors are considered:

      1. Increase the priority of forward secrecy cipher suites.
      2. Increase the priority of GCM mode cipher suites.
      3. Increase the priority of ECDHE cipher suites.
      4. Decrease the priority of cipher suites that use SHA-1 hash algorithm.
      5. Decrease the priority of RSA key exchange based cipher suites.

      Difference in backport work includes the fact that the CHACHA20 cipher suites are not available in JDK 11 or earlier and won't be included for consideration here.

      A release note will accompany the JDK releases highlighting the cipher suite preference changes.

      Specification

      With this update, the order of cipher suites preference in the SunJSSE provider is changed as:

      • Forward secrecy cipher suites.
        • Suite B compliant cipher suites
          • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        • Not Suite B, but we want it to position the suite early in the list of 1.2 suites.
        • AES_256(GCM) - ECDHE - forward secrecy cipher suites.
          • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • AES_128(GCM) - ECDHE - forward secrecy cipher suites.
          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        • AES_256(GCM) - DHE - forward secrecy cipher suites.
          • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
          • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
        • AES_128(GCM) - DHE - forward secrecy cipher suites.
          • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
          • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
        • AES_256(CBC) - ECDHE - forward secrecy cipher suites.
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        • AES_128(CBC) - ECDHE - forward secrecy cipher suites.
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        • AES_256(CBC) - DHE - forward secrecy cipher suites.
          • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
          • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
        • AES_128(CBC) - DHE - forward secrecy cipher suites.
          • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
          • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
      • not forward secrecy cipher suites.
        • AES_256(GCM) - not forward secrecy cipher suites.
          • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
        • AES_128(GCM) - not forward secrecy cipher suites.
          • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
          • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
        • AES_256(CBC) - not forward secrecy cipher suites.
          • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
        • AES_128(CBC) - not forward secrecy cipher suites.
          • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
      • Cipher suites that use SHA-1, used for compatibility
        • AES_256(CBC) - ECDHE - forward secrecy, using SHA-1
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        • AES_128(CBC) - ECDHE - forward secrecy, using SHA-1
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        • AES_256(CBC) - DHE - forward secrecy, using SHA-1
          • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
          • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        • AES_128(CBC) - DHE - forward secrecy, using SHA-1
          • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
          • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        • AES_256(CBC) - not forward secrecy, using SHA-1
          • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
          • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
        • AES_128(CBC) - not forward secrecy, using SHA-1
          • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
          • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
      • deprecated, used for compatibility only
        • RSA - not forward secrecy
          • TLS_RSA_WITH_AES_256_GCM_SHA384
          • TLS_RSA_WITH_AES_128_GCM_SHA256
          • TLS_RSA_WITH_AES_256_CBC_SHA256
          • TLS_RSA_WITH_AES_128_CBC_SHA256
          • TLS_RSA_WITH_AES_256_CBC_SHA
          • TLS_RSA_WITH_AES_128_CBC_SHA

            coffeys Sean Coffey
            xuelei Xuelei Fan
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: