Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8212823

Disable anon and NULL cipher suites

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 11.0.2, 12
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      These suites are rarely, if ever used. If an application is for some reason using one of these suites (perhaps for testing reasons), they can still use it by removing or overriding the "jdk.tls.disabledAlgorithms" security property.
    • Interface Kind:
      System or security property

      Description

      Summary

      Disable the TLS anon (anonymous) and NULL cipher suites by default by adding them to the jdk.tls.disabledAlgorithms security property.

      Problem

      The TLS anon and NULL cipher suites are used rarely and have security weaknesses. Anonymous suites are vulnerable to man-in-the-middle attacks. NULL suites do not provide confidentiality. RFC 7525 (Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)" says: "Implementations MUST NOT negotiate the cipher suites with NULL encryption."

      These suites are not enabled by default, so an application has to explicitly enable them using an API or the jdk.tls.client.cipherSuites or jdk.tls.server.cipherSuites system properties. However, adding them to the jdk.tls.disabledAlgorithms security property adds an extra layer of protection should they be used accidentally or maliciously.

      Solution

      Add anon and NULL to the jdk.tls.disabledAlgorithms security property so that it will be disabled by default. In order to use one of these suites, an application has to explicitly enable it AND remove it from the jdk.tls.disabledAlgorithms security property.

      Specification

      In the java.security file, change the value of the jdk.tls.disabledAlgorithms security property:

      jdk.tls.disabledAlgorithms= /* whatever was before */, anon, NULL

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mullan Sean Mullan
                Reporter:
                mullan Sean Mullan
                Reviewed By:
                Jamil Nimeh
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: