Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8167459

Add debug output for indicating if a chosen ciphersuite was legacy

    Details

    • Subcomponent:
    • Resolved In Build:
      b141
    • Verification:
      Not verified

      Backports

        Description

        We should provide more information about which ciphersuites were actually considered for a handshake and why they were ultimately chosen/not chosen, but for now, add a debug message to indicate whether or not a chosen ciphersuite was legacy.

        Examples:

        % java -Djavax.net.debug=all MyClass // or % java -Djavax.net.debug=ssl MyClass
            ...deleted...
            Standard ciphersuite chosen: TLS_RSA_WITH_AES_128_CBC_SHA
            ...deleted...

        or

            ...deleted...
            Legacy ciphersuite chosen: SSL_RSA_WITH_RC4_128_SHA
            ...deleted...


          Activity

          Hide
          hgupdate HG Updates added a comment -
          URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/5cdd35a1baf8
          User: wetmore
          Date: 2016-10-11 22:51:57 +0000
          Show
          hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/5cdd35a1baf8 User: wetmore Date: 2016-10-11 22:51:57 +0000
          Hide
          hgupdate HG Updates added a comment -
          URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/5cdd35a1baf8
          User: lana
          Date: 2016-10-19 19:44:45 +0000
          Show
          hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/5cdd35a1baf8 User: lana Date: 2016-10-19 19:44:45 +0000
          Hide
          wetmore Bradford Wetmore added a comment -
          Justification for backport:

          The number of TLS connections still using 3DES is small but non-negligible . In CPU17_01, we are adding 3DES to the list of legacy TLS algorithms, which means 3DES-based ciphersuites will now only be selected as a last resort. When evaluating TLS connections during support incidents, it will be very helpful to know if the chosen ciphersuite was considered first-class (normal) or legacy (last resort). This fix could be PSU, but strongly prefer it be paired with the corresponding CPU fix when it will become much more visible.
          Show
          wetmore Bradford Wetmore added a comment - Justification for backport: The number of TLS connections still using 3DES is small but non-negligible . In CPU17_01, we are adding 3DES to the list of legacy TLS algorithms, which means 3DES-based ciphersuites will now only be selected as a last resort. When evaluating TLS connections during support incidents, it will be very helpful to know if the chosen ciphersuite was considered first-class (normal) or legacy (last resort). This fix could be PSU, but strongly prefer it be paired with the corresponding CPU fix when it will become much more visible.
          Hide
          afomin Alexander Fomin (Inactive) added a comment -
          UR SQE OK to take the fix in CPU17_01: no any issues during nightly, it make sense to pair the fix with the corresponding CPU fixes.
          Show
          afomin Alexander Fomin (Inactive) added a comment - UR SQE OK to take the fix in CPU17_01: no any issues during nightly, it make sense to pair the fix with the corresponding CPU fixes.

            People

            • Assignee:
              wetmore Bradford Wetmore
              Reporter:
              wetmore Bradford Wetmore
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: