Summary

Allow TLS cipher suites to be disabled using wildcard matching.

Problem

The current syntax of the jdk.tls.disabledAlgorithms security property makes it difficult to disable algorithms that affect both the key exchange and authentication parts of a TLS cipher suite. For example, if you add "RSA" to the jdk.tls.disabledAlgorithms security property, it disables all cipher suites that use RSA, whether it is for key exchange or authentication. If you only want to disable cipher suites that use RSA for key exchange, the only workaround is to list the whole cipher suite name, so an exact match is done, but if there are many cipher suites that use that key exchange algorithm, this becomes cumbersome.

Solution

Implement TLS cipher suite wildcard matching for the jdk.tls.disabledAlgorithms security property. For example: jdk.tls.disabledAlgorithms=TLS_RSA_* disables all cipher suites that start with "TLS_RSA_".

Specification

The definition of the jdk.tls.disabledAlgorithms security property in the java.security file will be updated to describe how the new wildcard matching behavior works. The following text will be added to the definition:

'Additionally, TLS cipher suites can be disabled with this property using one or more "*" wildcard characters. For example, "TLS_RSA_*" disables all cipher suites that start with "TLS_RSA_". Only cipher suites starting with "TLS_" are allowed to have wildcard characters.'