Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8279164

Disable TLS_ECDH_* cipher suites

    XMLWordPrintable

Details

    Description

      These cipher suites do not preserve forward-secrecy and are rarely used in practice. Other TLS implementations (ex: Chrome, Mozilla) do not enable these suites. The successor of RFC 7525 [1] recommends that these suites not be used. This draft has been submitted to IESG for Publication as an RFC.

      Some TLS_ECDH_* cipher suites are already disabled because they use 3DES, RC4, anon, or NULL, which are disabled. This action will disable all remaining ECDH cipher suites.

      [1] https://www.ietf.org/archive/id/draft-ietf-uta-rfc7525bis-11.html#name-general-guidelines (see 6th bullet starting with "Implementations SHOULD NOT negotiate cipher suites based on non-ephemeral (static) finite-field Diffie-Hellman key agreement.")

      Attachments

        Issue Links

          csr for

          CSR - null JDK-8296300 Disable TLS_ECDH_* cipher suites

          • P3 - Major loss of function.
          • Closed
          relates to

          Enhancement - null JDK-8301379 Verify TLS_ECDH_* cipher suites cannot be negotiated

          • P4 - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          links to

          Commit Commit openjdk/jdk/00d22f60

          Review Review openjdk/jdk/10969

          There are no Sub-Tasks for this issue.

          Activity

            People

              mullan Sean Mullan
              mullan Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: