Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8223482

Unsupported ciphersuites may be offered by a TLS client

    Details

    • Subcomponent:
    • Introduced In Version:
      11
    • Resolved In Build:
      b23
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        A TLS client may offer ciphersuites that it does not support to a TLS server. This happens when SunJCE security provider is disabled. Once possible reason for disabling SunJCE is enabling FIPS mode.

        There is an explicit assumption that SunJCE will always be available, when deciding if a ciphersuite is enabled: http://hg.openjdk.java.net/jdk/jdk/file/4f2fd02922b1/src/java.base/share/classes/sun/security/ssl/SSLCipher.java#l492

        In the context of fixing this bug, we should review that assumption and check whether or not the ciphersuite should be offered in run time.

        To reproduce this bug, we can apply the attached patch to FipsModeTLS12 test. The TLS client will offer TLS_RSA_WITH_AES_128_GCM_SHA256 ciphersuite while AES/GCM/NoPadding transformation is not available in SunPKCS11 provider. Verified in JDK revision df2b3565f343.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mbalao Martin Balao
                  Reporter:
                  mbalao Martin Balao
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: