H Bernd,
Thank you for the quick review. All good points!
On 3/20/2019 12:34 AM, Bernd Eckenfels wrote:
Good to understand now.
Do you want to add a sentence how devs&ops can change the order (I.e.
enabling the ciphers in a different order?)
In the JSSE Reference Guide, there are sections talking about cipher
suite preference. I will add a note in the release-note about how to
customize the preference.
Just to be clear, In the Risk Evaluation the „should have been used“
does mean JDK should have done this before, it does not mean it has used
the preference before, right? (Although in practice I guess especially
DHE have been prefered over RSA by peers often)
Right.
The main risk of the change to me seems to be: priotizing DHE over plain
DSS/RSA. As this increases the likelyhood for DHE related interop
problems (due to lack of negotiation of „group“ sizes).
I suspect two aspects reduce the risk, but maybe it should be mentioned
explicitely:
„Preference of DHE_RSA over RSA could increase group/size related
interoperability problems. However it is expected that this is mitigated
by the additional DHE parameters (FFDHE) in group announcement and also
the fact that existing implementations have been confronted with bigger
DHE keys for some time now. Besides many existing servers prefer ECDHE
or would have picked DHE over RSA anyway.“
It makes sense to me. I added to the "Compatibility Risk Description" field.
Considering the existing DHE problems, it may be nice to decrease the
priority of DHE cipher suites as well. I update the CSR accordingly.
I would expect no performance impact as most modern/perfcritical systems
would use ECDHE already (and the perf impact of preferring GCM over CBC
is a different discussion)
Agreed, I think the performance impact is minimal as well.
Thanks,
Xuelei
Gruss
Bernd
--
http://bernd.eckenfels.net
------------------------------------------------------------------------
*Von:* security-dev <[email protected]> im Auftrag
von Xuelei Fan <[email protected]>
*Gesendet:* Mittwoch, März 20, 2019 6:19 AM
*An:* [email protected]
*Betreff:* Re: CSR Review Request, JDK-8163326, The default enabled
cipher suites should prefer forward secrecy
Hi,
I extended this CSR to cover more update, and update per the comments.
Please let me know your concerns by the end of March 21, 2019.
Thanks,
Xuelei
On 3/6/2019 3:41 PM, Bernd Eckenfels wrote:
> I am not clear on what would „preferred in current default context“
> mean. Does that mean it preferred the PFS ciphers anyway.. for suggested
> order in client handshake? as server? And what would be the non-Default
> context. Is this „TLS“ context?
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ------------------------------------------------------------------------
> *Von:* security-dev <[email protected]> im Auftrag
> von Sean Mullan <[email protected]>
> *Gesendet:* Mittwoch, März 6, 2019 9:12 PM
> *An:* [email protected]
> *Betreff:* Re: CSR Review Request, JDK-8163326, The default enabled
> cipher suites should prefer forward secrecy
> Hi Xuelei,
>
> In the Specification section, I think it would be useful to note which
> cipher suites are forward secret and which are not. Otherwise, it is
> difficult to see what has changed, since there are so many supported
> suites. Perhaps in parentheses, ex:
>
> TLS_AES_128_GCM_SHA256 (forward secret)
> ...
>
> I also think you should summarize what has changed or what is roughly
> the new order, for example:
>
> - The TLS_RSA suites have moved down ...
> - The TLS_ECDH suites have moved
> - The SSL_RSA suites have moved down ...
> etc...
>
> --Sean
>
> On 2/21/19 4:45 PM, Xuelei Fan wrote:
> > Hi,
> >
> > Could I get the CSR reviewed?
> > https://bugs.openjdk.java.net/browse/JDK-8219545
> >
> > It is proposed to increase the priority of forward secrecy cipher
> > suites, and decrease the priority of RSA key exchange based cipher
> > suites for the default enabled cipher suites in the SunJSSE provider.
> >
> > Thanks,
> > Xuelei
