Looks good to me.
--Jamil
On 10/23/18 12:38 PM, Sean Mullan wrote:
Please review this change to add the TLS anonymous and NULL cipher
suites to the "jdk.tls.disabledAlgorithms" security property.
These suites are used rarely and have security weaknesses. Anonymous
suites are vulnerable to man-in-the-middle attacks. NULL suites do not
provide confidentiality. RFC 7525 [1] says: "Implementations MUST NOT
negotiate the cipher suites with NULL encryption." Also, TLS 1.3 has
removed them.
These suites are not enabled by default, so an application has to
explicitly enable them using an API or the
"jdk.tls.client.cipherSuites" or "jdk.tls.server.cipherSuites" system
properties. However, adding them to the "jdk.tls.disabledAlgorithms"
security property adds an extra level of protection and additional
configuration change in order to use them.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8211883/webrev.00/
--Sean
[1] https://tools.ietf.org/html/rfc7525
