-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
minimal
-
Java API
-
JDK
Summary
Remove SSLv2Hello and SSLv3 from the default enabled TLS protocols.
Note, this backport CSR is same as original CSR (JDK-8235350)
Problem
SSLv3 has been deprecated with RFC 7568. We have already disabled it by default in 2015 by adding it to the jdk.tls.disabledAlgorithms security property. However, it is still in the default enabled list. We should remove it from the default enabled list as an additional cleanup.
Solution
Remove SSLv2Hello and SSLv3 from the default enabled TLS protocols.
If SSLv3 is removed from the jdk.tls.disabledAlgorithms security property, the SSLSocket.getEnabledProtocols(), SSLServerSocket.getEnabledProtocols(), SSLEngine.getEnabledProtocols() and SSLParameters.getProtocols() API will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list.
If a client / server still needs to use this protocol they can do so by enabling it via a system property jdk.tls.client.protocols / jdk.tls.server.protocols or with the SSLSocket.setEnabledProtocols(), SSLServerSocket.setEnabledProtocols() and SSLEngine. setEnabledProtocols() API.
Specification
Webrev: http://cr.openjdk.java.net/~rhalade/8190492/webrev.00/
--- old/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java 2019-12-04 13:00:19.000000000 -0800
+++ new/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java 2019-12-04 13:00:18.000000000 -0800
@@ -549,9 +549,7 @@
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30,
- ProtocolVersion.SSL20Hello
+ ProtocolVersion.TLS10
});
supportedCipherSuites = getApplicableSupportedCipherSuites(
@@ -600,9 +598,7 @@
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30,
- ProtocolVersion.SSL20Hello
+ ProtocolVersion.TLS10
};
}
}
@@ -619,8 +615,7 @@
static {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30
+ ProtocolVersion.TLS10
});
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
@@ -651,8 +646,7 @@
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30
+ ProtocolVersion.TLS10
});
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
@@ -685,8 +679,7 @@
new ProtocolVersion[] {
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30
+ ProtocolVersion.TLS10
});
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
@@ -719,8 +712,7 @@
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30
+ ProtocolVersion.TLS10
});
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
@@ -876,8 +868,7 @@
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30
+ ProtocolVersion.TLS10
};
}- csr of
-
JDK-8303557 Remove SSLv2Hello and SSLv3 from default enabled TLS protocols
-
- Resolved
-
- relates to
-
-
- Closed
-