Uploaded image for project: 'CCC Migration Project'
  1. CCC Migration Project
  2. CCC-8176745

Drop SSLContext TLSv1 cipher suite requirements

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Risk:
      minimal
    • Interface Kind:
      Other
    • Scope:
      SE

      Description

      Summary

      Drop SSLContext TLSv1 cipher suite requirements from Security Algorithm Implementation Requirements for Java SE.

      Problem

      The current Security Algorithm Implementation Requirements for Java SE (see http://download.java.net/java/jdk9/docs/technotes/guides/security/StandardNames.html#impl) requires implementations to support a "TLSv1" SSLContext with the following additional footnote:

      "A TLSv1 implementation must support the cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA as defined in RFC 2246 and the special signaling cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV for safe renegotiation as defined in RFC 5746."

      This additional requirement listed in the footnote has turned out to be problematic as 3DES is now weak and considered a security risk. Mandating cipher suite requirements is not a good idea as algorithms weaken over time. Requiring specific cipher suites also makes it more difficult to pass the JCK (additional configuration is necessary) when these algorithms are disabled by default.

      Solution

      Remove the following footnote from http://download.java.net/java/jdk9/docs/technotes/guides/security/StandardNames.html#impl:

      "A TLSv1 implementation must support the cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA as defined in RFC 2246 and the special signaling cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV for safe renegotiation as defined in RFC 5746."

      Specification

      Remove the following footnote from http://download.java.net/java/jdk9/docs/technotes/guides/security/StandardNames.html#impl:

      A TLSv1 implementation must support the cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA as defined in RFC 2246 and the special signaling cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV for safe renegotiation as defined in RFC 5746.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mullan Sean Mullan
              Reporter:
              mullan Sean Mullan
              Reviewed By:
              Xue-Lei Fan
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: