On 8/19/19 7:33 AM, Christian Schaefer wrote:
Hi all,
Today, the list of enabled named curves for EC cipher suites can be
specified as “System Property” (name of the system property is
jdk.tls.namedGroups) in JDK 8 and later. It seems like it cannot be
specified as “Security Property”. So unlike jdk.tls.disabledAlgorithms
and jdk.certpath.disabledAlgorithms the property jdk.tls.namedGroups
cannot be specified in the security properties file (i.e.
lib/security/java.security).
In JDK 14, we have added the ability to restrict named groups (and
signature schemes) in the jdk.tls.disabledAlgorithms security property:
https://bugs.openjdk.java.net/browse/JDK-8227445
Does this address your concern?
Is there any chance to enhance this in a future version so that
jdk.tls.namedGroups can also be specified in the security properties
file or is there a reason which I don’t see that explains why
jdk.tls.namedGroups can only be specified as System Property?
There's no precise reason that I know of, but the default is typically
sufficient and secure for most applications and the system property
allows you to adjust it on a per-application basis. This is similar to
the system properties for the enabled cipher suites:
jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites.
Thanks,
Sean
