Summary

Disable cipher suites starting with "TLS_RSA_", i.e. cipher suites using RSA algorithm for key exchange

Problem

These cipher suites do not preserve forward-secrecy and are not commonly used. Other TLS implementations (ex: Rustls) do not support or enable these suites by default. RFC 9325 [1] states that these suites should not be used. The IETF Draft "Deprecating Obsolete Key Exchange Methods in TLS" [2] mandates that these suites not be used.

Note that some TLS_RSA cipher suites are currently disabled because they use algorithms that are disabled, such as 3DES and RC4. This action will disable the rest.

TLS_RSA cipher suites are supported in TLS 1.0, 1.1, 1.2, and DTLS 1.0, 1.2. They are not supported in TLS 1.3. TLS 1.0, 1.1 and DTLS 1.0 are already disabled by default.

[1] RFC 9325, Recommendations for Secure Use of TLS and DTLS: "Implementations SHOULD NOT negotiate cipher suites based on RSA key transport, a.k.a. "static RSA". Rationale: These cipher suites, which have assigned values starting with the string "TLS_RSA_WITH_*", have several drawbacks, especially the fact that they do not support forward secrecy."

[2] IETF Draft, Deprecating Obsolete Key Exchange Methods in TLS: "Clients MUST NOT offer and servers MUST NOT select RSA cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996], and TLS 1.3 does not support static RSA [RFC8446].)"

Solution

Add ", TLS_RSA_*" to the jdk.tls.disabledAlgorithms security property. This will cause attempts to use TLS_RSA cipher suites to fail with a SSLHandshakeException with the error message "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)". Users can, at their own risk, re-enable the suites by removing "TLS_RSA_*" from the jdk.tls.disabledAlgorithms security property.

Specification

The definition of the jdk.tls.disabledAlgorithms security property in the java.security file will be appended with ", TLS_RSA_*" string.