Summary

Disable TLS_ECDH_* cipher suites by default.

Note, this backport CSR is same as original CSR (JDK-8296300).

Problem

The TLS_ECDH_* cipher suites do not preserve forward-secrecy and are rarely used in practice. Other TLS implementations (ex: Chrome, Firefox) do not enable these suites. The successor of RFC 7525 [1] (which has been submitted to IESG for Publication as an RFC) recommends that these suites not be used.

Note that some TLS_ECDH_* cipher suites are currently disabled because they use algorithms that are disabled, such as 3DES and RC4. This action will disable the rest.

TLS_ECDH_* cipher suites are supported in TLS 1.0, 1.1, 1.2, and DTLS 1.0, 1.2. They are not supported in TLS 1.3. TLS 1.0, 1.1 and DTLS 1.0 are already disabled by default.

[1] https://www.ietf.org/archive/id/draft-ietf-uta-rfc7525bis-11.html#name-general-guidelines (see 6th bullet starting with "Implementations SHOULD NOT negotiate cipher suites based on non-ephemeral (static) finite-field Diffie-Hellman key agreement.")

Solution

Disable TLS_ECDH_* cipher suites by adding "ECDH" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. This will cause attempts to use TLS_ECDH_* cipher suites to fail with a SSLHandshakeException with the error message "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)". Users can, at their own risk, re-enable the suites by removing "ECDH" from the jdk.tls.disabledAlgorithms security property.

Specification

Change to the java.security file:

 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
 #       rsa_pkcs1_sha1, secp224r1
 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
-    MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
+    MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+    ECDH