Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8233228 Disable weak named curves by default in TLS, CertPath, and Signed JAR
  3. JDK-8236730

Release Note: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default

    Details

      Backports

        Description

        Weak named curves are disabled by default by adding them to the following `disabledAlgorithms` security properties: 'jdk.tls.disabledAlgorithms', 'jdk.certpath.disabledAlgorithms', and 'jdk.jar.disabledAlgorithms'. The named curves are listed below.

        With 47 weak named curves to be disabled, adding individual named curves to each `disabledAlgorithms` property would be overwhelming. To relieve this, a new security property, 'jdk.disabled.namedCurves', is implemented that can list the named curves common to all of the `disabledAlgorithms` properties. To use the new property in the `disabledAlgorithms` properties, precede the full property name with the keyword `include`. Users can still add individual named curves to `disabledAlgorithms` properties separate from this new property. No other properties can be included in the `disabledAlgorithms` properties.

        To restore the named curves, remove the `include jdk.disabled.namedCurves` either from specific or from all `disabledAlgorithms` security properties.
        To restore one or more curves, remove the specific named curve(s) from the `jdk.disabled.namedCurves` property.

        Curves that are disabled through `jdk.disabled.namedCurves` include the following:
        secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

        Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  ascarpino Anthony Scarpino
                  Reporter:
                  ascarpino Anthony Scarpino
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: