On Fri, 1 Nov 2024 15:04:47 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:

> Did you consider the option to support cipher suite regex Pattern, for 
> example TLS_RSA_* for the restriction? The update is little bit complicated 
> to me.

Yes, I think we mentioned using regex during our internal discussions. We also 
consider a much simpler solution that would be fine for a one-off case but it's 
kind of hacky: use `RSA-kx` in the config file and also add it to 
`SSLAlgorithmDecomposer#decomposes(CipherSuite.KeyExchange keyExchange)`. I 
approached this task not as a one-off case but as an expandable design to 
disable parts of TLS cipher suite. So we can easily expand it by adding new 
bulk or hash parameters to disable certain algorithms to be used as bulk 
ciphers or hash functions.

About using wildcards: that's definitely worth considering, I may put together 
an alternative PR that uses wild cards (true regex is not really needed here, 
not as user-friendly too). It would not be as user-friendly as `RSA kx` though, 
the end-users need to know exactly what they are doing, i.e. they need to know 
the exact format of cipher suite name, etc. Since this config values are used 
to disable both a simple algorithm and a complete cipher suite, the wild card 
would apply to both, co putting something like `*ECDH*` would disable whole 
bunch of algorithms and cipher suites.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/21577#issuecomment-2452251214

Reply via email to