Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8217579

TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883

    Details

    • Subcomponent:
    • Resolved In Build:
      b06
    • Verification:
      Verified

      Backports

        Description

        When listing the default and available ciphers with 8u202 (testcase listed below) One can notice that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone. With 8u192 it was still in the list of default and available ciphers.

        It appears, "8211883: Disable anon and NULL cipher suites" is the reason TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone now.

        It looks like some of our Tomcat users are running into this issue because
        TLS_EMPTY_RENEGOTIATION_INFO_SCSV plays some role there .

        Full JDK Versions
        -----------------
        JDK 7u211 and later, 8u201 and later, 11.0.2 and later


        Testcase & Reproduction Instructions
        ------------------------------------
        import java.util.*;
        import javax.net.ssl.SSLServerSocketFactory;
         
        public class Ciphers
        {
            public static void main(String[] args)
                throws Exception
            {
                SSLServerSocketFactory ssf =
        SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
         
                String[] defaultCiphers = ssf.getDefaultCipherSuites();
                String[] availableCiphers = ssf.getSupportedCipherSuites();
         
                System.out.println("default ciphers:");
                System.out.println("------------------------------");
                for (String s: defaultCiphers) {
                    System.out.println(s);
                }
         
                System.out.println("available ciphers:");
                System.out.println("------------------------------");
                for (String s: availableCiphers) {
                    System.out.println("available:" + s);
                }
            }
        }

        Workaround
        ----------
        Remove NULL from jdk.tls.disabledAlgorithm

        Related Bugs, Forum Threads
        ---------------------------
        https://mail.openjdk.java.net/pipermail/security-dev/2019-January/019237.html

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mullan Sean Mullan
                  Reporter:
                  shadowbug Shadow Bug
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: