Details
-
Enhancement
-
Status: Resolved
-
P3
-
Resolution: Fixed
-
None
-
b23
Description
These cipher suites do not preserve forward-secrecy and are rarely used in practice. Other TLS implementations (ex: Chrome, Mozilla) do not enable these suites. The successor of RFC 7525 [1] recommends that these suites not be used. This draft has been submitted to IESG for Publication as an RFC.
Some TLS_ECDH_* cipher suites are already disabled because they use 3DES, RC4, anon, or NULL, which are disabled. This action will disable all remaining ECDH cipher suites.
[1] https://www.ietf.org/archive/id/draft-ietf-uta-rfc7525bis-11.html#name-general-guidelines (see 6th bullet starting with "Implementations SHOULD NOT negotiate cipher suites based on non-ephemeral (static) finite-field Diffie-Hellman key agreement.")
Some TLS_ECDH_* cipher suites are already disabled because they use 3DES, RC4, anon, or NULL, which are disabled. This action will disable all remaining ECDH cipher suites.
[1] https://www.ietf.org/archive/id/draft-ietf-uta-rfc7525bis-11.html#name-general-guidelines (see 6th bullet starting with "Implementations SHOULD NOT negotiate cipher suites based on non-ephemeral (static) finite-field Diffie-Hellman key agreement.")
Attachments
Issue Links
- csr for
-
JDK-8296300 Disable TLS_ECDH_* cipher suites
-
- Closed
-
- relates to
-
JDK-8301379 Verify TLS_ECDH_* cipher suites cannot be negotiated
-
- Resolved
-
There are no Sub-Tasks for this issue.