On Wed, 30 Oct 2024 15:44:58 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> The current syntax of the jdk.tls.disabledAlgorithms makes it difficult to >> disable algorithms that affect both the key exchange and authentication >> parts of a TLS cipher suite. For example, if you add "RSA" to the >> jdk.tls.disabledAlgorithms security property, it disables all cipher suites >> that use RSA, whether it is for key exchange or authentication. If you only >> want to disable cipher suites that use RSA for key exchange, the only >> workaround is to list the whole cipher suite name, so an exact match is >> done, but if there are many cipher suites that use that key exchange >> algorithm, this becomes cumbersome. >> >> We should extend the syntax of the property to be able to distinguish >> between different cryptographic primitives used in the cipher suite. I think >> adding a new constraint something like: >> >> TLSCipherConstraint: kx | authn >> >> So when disabling TLS_RSA suites, you would add "RSA kx" to the property. > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > Naming update. Adjust line length. It may be personal, but I think the wildcard's solution is much simple: simple to use, simple to implement and simple to extension, simple to back-port, and user friendly. It adds new learning curve if we adding something like "kx", which does not show elsewhere except here. I don't think we want it if wild-card solution works. I will review the PR using wild-card next week. ------------- PR Comment: https://git.openjdk.org/jdk/pull/21577#issuecomment-2453107117
