Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8211883

Disable anon and NULL cipher suites

    Details

      Backports

        Description

        The TLS anon (anonymous) and NULL cipher suites are used rarely and have security weaknesses. Anonymous suites are vulnerable to man-in-the-middle attacks. NULL suites do not provide confidentiality. RFC 7525 (Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)" says: "Implementations MUST NOT negotiate the cipher suites with NULL encryption." TLS 1.3 has removed them.
         
        These suites are not enabled by default (i.e. they are not on the internal hardcoded list of ciphersuites that are available for TLS handshake), so an application has to explicitly enable them using an API or the "jdk.tls.client.cipherSuites" or "jdk.tls.server.cipherSuites" system properties. However, adding them to the "jdk.tls.disabledAlgorithms" security property adds an extra layer of protection should they be used accidentally or maliciously. This change is also consistent with prior crypto roadmap changes that have disabled insecure cipher suites.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mullan Sean Mullan
                  Reporter:
                  mullan Sean Mullan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: