> The current syntax of the jdk.tls.disabledAlgorithms makes it difficult to > disable algorithms that affect both the key exchange and authentication parts > of a TLS cipher suite. For example, if you add "RSA" to the > jdk.tls.disabledAlgorithms security property, it disables all cipher suites > that use RSA, whether it is for key exchange or authentication. If you only > want to disable cipher suites that use RSA for key exchange, the only > workaround is to list the whole cipher suite name, so an exact match is done, > but if there are many cipher suites that use that key exchange algorithm, > this becomes cumbersome. > > We should extend the syntax of the property to be able to distinguish between > different cryptographic primitives used in the cipher suite. I think adding a > new constraint something like: > > TLSCipherConstraint: kx | authn > > So when disabling TLS_RSA suites, you would add "RSA kx" to the property.
Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 13 additional commits since the last revision: - Do exact match on jdk.tls.disabledAlgorithms property - Merge branch 'master' into JDK-8341964 - Remove duplicate description from docs - Re-ordering and simplifying the checks. Restricting new constraint to TLS. Updating docs. - Revert Copyright on unmodified file - Update comments and Copyright - Match TLSCipherConstraint constraint against any algorithm. TLSv1.3 test case. - Merge branch 'master' into JDK-8341964 - Add tests - Naming update - ... and 3 more: https://git.openjdk.org/jdk/compare/ed909bbc...fd3ae924 ------------- Changes: - all: https://git.openjdk.org/jdk/pull/21577/files - new: https://git.openjdk.org/jdk/pull/21577/files/69855099..fd3ae924 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=21577&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=21577&range=00-01 Stats: 53001 lines in 970 files changed: 27329 ins; 22007 del; 3665 mod Patch: https://git.openjdk.org/jdk/pull/21577.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/21577/head:pull/21577 PR: https://git.openjdk.org/jdk/pull/21577
