Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8235350

Remove SSLv2Hello and SSLv3 from default enabled TLS protocols

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 14
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Interface Kind:
      Java API
    • Scope:
      JDK

      Description

      Summary

      Remove SSLv2Hello and SSLv3 from the default enabled TLS protocols.

      Problem

      SSLv3 has been deprecated with RFC 7568. We have already disabled it by default in 2015 by adding it to the jdk.tls.disabledAlgorithms security property. However, it is still in the default enabled list. We should remove it from the default enabled list as an additional cleanup.

      Solution

      Remove SSLv2Hello and SSLv3 from the default enabled TLS protocols.

      If SSLv3 is removed from the jdk.tls.disabledAlgorithms security property, the SSLSocket.getEnabledProtocols(), SSLServerSocket.getEnabledProtocols(), SSLEngine.getEnabledProtocols() and SSLParameters.getProtocols() API will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list.

      If a client / server still needs to use this protocol they can do so by enabling it via a system property jdk.tls.client.protocols / jdk.tls.server.protocols or with the SSLSocket.setEnabledProtocols(), SSLServerSocket.setEnabledProtocols() and SSLEngine. setEnabledProtocols() API.

      Specification

      Webrev: http://cr.openjdk.java.net/~rhalade/8190492/webrev.00/

      --- old/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java    2019-12-04 13:00:19.000000000 -0800
      +++ new/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java    2019-12-04 13:00:18.000000000 -0800
      @@ -549,9 +549,7 @@
                       ProtocolVersion.TLS13,
                       ProtocolVersion.TLS12,
                       ProtocolVersion.TLS11,
      -                ProtocolVersion.TLS10,
      -                ProtocolVersion.SSL30,
      -                ProtocolVersion.SSL20Hello
      +                ProtocolVersion.TLS10
                   });
      
                   supportedCipherSuites = getApplicableSupportedCipherSuites(
      @@ -600,9 +598,7 @@
                           ProtocolVersion.TLS13,
                           ProtocolVersion.TLS12,
                           ProtocolVersion.TLS11,
      -                    ProtocolVersion.TLS10,
      -                    ProtocolVersion.SSL30,
      -                    ProtocolVersion.SSL20Hello
      +                    ProtocolVersion.TLS10
                   };
               }
           }
      @@ -619,8 +615,7 @@
               static {
                   clientDefaultProtocols = getAvailableProtocols(
                           new ProtocolVersion[] {
      -                ProtocolVersion.TLS10,
      -                ProtocolVersion.SSL30
      +                ProtocolVersion.TLS10
                   });
      
                   clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
      @@ -651,8 +646,7 @@
                   clientDefaultProtocols = getAvailableProtocols(
                           new ProtocolVersion[] {
                       ProtocolVersion.TLS11,
      -                ProtocolVersion.TLS10,
      -                ProtocolVersion.SSL30
      +                ProtocolVersion.TLS10
                   });
      
                   clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
      @@ -685,8 +679,7 @@
                           new ProtocolVersion[] {
                       ProtocolVersion.TLS12,
                       ProtocolVersion.TLS11,
      -                ProtocolVersion.TLS10,
      -                ProtocolVersion.SSL30
      +                ProtocolVersion.TLS10
                   });
      
                   clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
      @@ -719,8 +712,7 @@
                       ProtocolVersion.TLS13,
                       ProtocolVersion.TLS12,
                       ProtocolVersion.TLS11,
      -                ProtocolVersion.TLS10,
      -                ProtocolVersion.SSL30
      +                ProtocolVersion.TLS10
                   });
      
                   clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
      @@ -876,8 +868,7 @@
                           ProtocolVersion.TLS13,
                           ProtocolVersion.TLS12,
                           ProtocolVersion.TLS11,
      -                    ProtocolVersion.TLS10,
      -                    ProtocolVersion.SSL30
      +                    ProtocolVersion.TLS10
                   };
               }

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rhalade Rajan Halade
              Reporter:
              mullan Sean Mullan
              Reviewed By:
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: