Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8296300

Disable TLS_ECDH_* cipher suites

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 20
    • security-libs
    • None
    • behavioral
    • low
    • Hide
      These suites are known to be rarely used in practice. By default there are other cipher suites that are stronger and have higher priority, thus a client or server using the default JDK configuration should not be affected unless they are specifically trying to negotiate one of these suites.
      Show
      These suites are known to be rarely used in practice. By default there are other cipher suites that are stronger and have higher priority, thus a client or server using the default JDK configuration should not be affected unless they are specifically trying to negotiate one of these suites.
    • System or security property
    • JDK

      Summary

      Disable TLS_ECDH_* cipher suites by default.

      Problem

      The TLS_ECDH_* cipher suites do not preserve forward-secrecy and are rarely used in practice. Other TLS implementations (ex: Chrome, Firefox) do not enable these suites. The successor of RFC 7525 [1] (which has been submitted to IESG for Publication as an RFC) recommends that these suites not be used.

      Note that some TLS_ECDH_* cipher suites are currently disabled because they use algorithms that are disabled, such as 3DES and RC4. This action will disable the rest.

      TLS_ECDH_* cipher suites are supported in TLS 1.0, 1.1, 1.2, and DTLS 1.0, 1.2. They are not supported in TLS 1.3. TLS 1.0, 1.1 and DTLS 1.0 are already disabled by default.

      [1] https://www.ietf.org/archive/id/draft-ietf-uta-rfc7525bis-11.html#name-general-guidelines (see 6th bullet starting with "Implementations SHOULD NOT negotiate cipher suites based on non-ephemeral (static) finite-field Diffie-Hellman key agreement.")

      Solution

      Disable TLS_ECDH_* cipher suites by adding "ECDH" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. This will cause attempts to use TLS_ECDH_* cipher suites to fail with a SSLHandshakeException with the error message "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)". Users can, at their own risk, re-enable the suites by removing "ECDH" from the jdk.tls.disabledAlgorithms security property.

      Specification

      Change to the java.security file:

       #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
       #       rsa_pkcs1_sha1, secp224r1
       jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
      -    MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
      +    MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
      +    ECDH

            mullan Sean Mullan
            mullan Sean Mullan
            Xuelei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: