On Tue, 22 Mar 2022 06:15:07 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> This fix removes obsolete and deprecated 3DES cipher suites from the default >> enabled cipher suites list of the SunJSSE provider implementation. >> >> Note that 3DES suites are already disabled by default via the >> `jdk.tls.disabledAlgorithms` security property. This change goes one step >> further and provides an extra level of defense by making them unavailable by >> default. See the CSR for more details: >> https://bugs.openjdk.java.net/browse/JDK-8283450 > > src/java.base/share/classes/sun/security/ssl/CipherSuite.java line 425: > >> 423: ProtocolVersion.PROTOCOLS_TO_12, >> 424: K_RSA, B_3DES, M_SHA, H_SHA256), >> 425: > > It is good to have the supported cipher suites ordered. So it may be nice to > have this block between line 348 and 349. Can you be more specific? I'm not following where you think they should be ordered. Are you suggesting they should be ordered before the anon suites even though most of them use stronger algorithms? Also, does the order matter if the application is going to be setting them via APIs? For example, if an application calls `SSLSocket.setEnabledCipherSuites(new String[] { "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" })` is the order specified respected? Or does the provider re-order it according to this file? ------------- PR: https://git.openjdk.java.net/jdk/pull/7894
