On Fri, 25 Oct 2024 19:40:38 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> The current syntax of the jdk.tls.disabledAlgorithms makes it difficult to >> disable algorithms that affect both the key exchange and authentication >> parts of a TLS cipher suite. For example, if you add "RSA" to the >> jdk.tls.disabledAlgorithms security property, it disables all cipher suites >> that use RSA, whether it is for key exchange or authentication. If you only >> want to disable cipher suites that use RSA for key exchange, the only >> workaround is to list the whole cipher suite name, so an exact match is >> done, but if there are many cipher suites that use that key exchange >> algorithm, this becomes cumbersome. >> >> We should extend the syntax of the property to be able to distinguish >> between different cryptographic primitives used in the cipher suite. I think >> adding a new constraint something like: >> >> TLSCipherConstraint: kx | authn >> >> So when disabling TLS_RSA suites, you would add "RSA kx" to the property. > > Artur Barashev has updated the pull request with a new target base due to a > merge or a rebase. The incremental webrev excludes the unrelated changes > brought in by the merge/rebase. The pull request contains 13 additional > commits since the last revision: > > - Do exact match on jdk.tls.disabledAlgorithms property > - Merge branch 'master' into JDK-8341964 > - Remove duplicate description from docs > - Re-ordering and simplifying the checks. Restricting new constraint to TLS. > Updating docs. > - Revert Copyright on unmodified file > - Update comments and Copyright > - Match TLSCipherConstraint constraint against any algorithm. TLSv1.3 test > case. > - Merge branch 'master' into JDK-8341964 > - Add tests > - Naming update > - ... and 3 more: https://git.openjdk.org/jdk/compare/ed909bbc...fd3ae924 Marked as reviewed by abdelhak-za...@github.com (no known OpenJDK username). ------------- PR Review: https://git.openjdk.org/jdk/pull/21577#pullrequestreview-2379664759
