Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8279164

Disable TLS_ECDH_* cipher suites

    XMLWordPrintable

Details

    Backports

      Description

        These cipher suites do not preserve forward-secrecy and are rarely used in practice. Other TLS implementations (ex: Chrome, Mozilla) do not enable these suites. The successor of RFC 7525 [1] recommends that these suites not be used. This draft has been submitted to IESG for Publication as an RFC.

        Some TLS_ECDH_* cipher suites are already disabled because they use 3DES, RC4, anon, or NULL, which are disabled. This action will disable all remaining ECDH cipher suites.

        [1] https://www.ietf.org/archive/id/draft-ietf-uta-rfc7525bis-11.html#name-general-guidelines (see 6th bullet starting with "Implementations SHOULD NOT negotiate cipher suites based on non-ephemeral (static) finite-field Diffie-Hellman key agreement.")

        Attachments

          Issue Links

            Activity

              People

                mullan Sean Mullan
                mullan Sean Mullan
                Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: