On Tue, 19 Nov 2024 21:57:04 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> These cipher suites do not preserve forward-secrecy and are not commonly >> used. Other TLS implementations (ex: Rustls) do not support or enable these >> suites by default. RFC 9325 [1] states that these suites should not be used. >> The IETF Draft "Deprecating Obsolete Key Exchange Methods in TLS" [2] >> mandates that these suites not be used. >> >> Some TLS_RSA_* cipher suites are already disabled because they use DES, >> 3DES, RC4, or NULL, which are disabled. This action will disable all >> remaining TLS_RSA cipher suites. >> >> [1] RFC 9325, Recommendations for Secure Use of TLS and DTLS >> (https://www.rfc-editor.org/rfc/rfc9325.html#section-4.1-2.5.1): >> "Implementations SHOULD NOT negotiate cipher suites based on RSA key >> transport, a.k.a. "static RSA". Rationale: These cipher suites, which have >> assigned values starting with the string "TLS_RSA_WITH_*", have several >> drawbacks, especially the fact that they do not support forward secrecy." >> [2] IETF Draft, Deprecating Obsolete Key Exchange Methods in TLS >> (https://www.ietf.org/archive/id/draft-ietf-tls-deprecate-obsolete-kex-05.html#section-4): >> "Clients MUST NOT offer and servers MUST NOT select RSA cipher suites in >> TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996], >> and TLS 1.3 does not support static RSA [RFC8446].)" > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > Remove the empty lines added Please also update `test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java` with the list of disabled TLS_RSA suites, and add 8245545 to the `@bug` line. This test will check that the suites are disabled. test/jdk/javax/net/ssl/DTLS/DTLSMFLNTest.java line 56: > 54: public class DTLSMFLNTest { > 55: public static void main(String[] args) { > 56: SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); Are you sure this is needed? This test passes for me if I comment out this line. test/jdk/javax/net/ssl/SSLEngine/Basics.java line 60: > 58: > 59: public static void main(String[] args) throws Exception { > 60: SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLS_RSA_*"); Add comment: // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it. test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java line 66: > 64: > 65: public static void main(String[] args) throws Exception { > 66: SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); Add comment: // Re-enable TLS_RSA_* since test depends on it. test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java line 175: > 173: > 174: public static void main(String[] args) throws Exception { > 175: // Re-enable TLSv1.1 since test depends on it. Update comment: s/TLSv1/TLSv1 and TLS_RSA_*/ test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java line 162: > 160: > 161: public static void main(String[] args) throws Exception { > 162: SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); Add comment: // Re-enable TLS_RSA_* since test depends on it. test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java line 1: > 1: /* For this test, please add 8245545 to the `@bug` line because it is making sure that the TLS_RSA suites are disabled. test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java line 61: > 59: > 60: public static void main(String[] args) { > 61: SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); Add comment: // Re-enable TLS_RSA_* since test depends on it. test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java line 85: > 83: > 84: public static void main(String[] args) throws Exception { > 85: SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); Add comment: // Re-enable TLS_RSA_* since test depends on it. test/jdk/sun/security/ssl/ClientHandshaker/LengthCheckTest.java line 273: > 271: */ > 272: public static void main(String args[]) throws Exception { > 273: // Re-enable TLSv1 since test depends on it. Update comment: s/TLSv1/TLSv1 and TLS_RSA_*/ test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java line 103: > 101: System.out.println("Test Passed."); > 102: } else { > 103: // Re-enable TLSv1 since test depends on it Update comment: s/TLSv1/TLSv1 and TLS_RSA_*/ ------------- PR Comment: https://git.openjdk.org/jdk/pull/22163#issuecomment-2488785774 PR Review Comment: https://git.openjdk.org/jdk/pull/22163#discussion_r1850445796 PR Review Comment: https://git.openjdk.org/jdk/pull/22163#discussion_r1850357240 PR Review Comment: https://git.openjdk.org/jdk/pull/22163#discussion_r1850356757 PR Review Comment: https://git.openjdk.org/jdk/pull/22163#discussion_r1850356442 PR Review Comment: https://git.openjdk.org/jdk/pull/22163#discussion_r1850355856 PR Review Comment: https://git.openjdk.org/jdk/pull/22163#discussion_r1850448748 PR Review Comment: https://git.openjdk.org/jdk/pull/22163#discussion_r1850355458 PR Review Comment: https://git.openjdk.org/jdk/pull/22163#discussion_r1850355178 PR Review Comment: https://git.openjdk.org/jdk/pull/22163#discussion_r1850353925 PR Review Comment: https://git.openjdk.org/jdk/pull/22163#discussion_r1850354223
