On Fri, 18 Oct 2024 03:08:49 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
> The current syntax of the jdk.tls.disabledAlgorithms makes it difficult to > disable algorithms that affect both the key exchange and authentication parts > of a TLS cipher suite. For example, if you add "RSA" to the > jdk.tls.disabledAlgorithms security property, it disables all cipher suites > that use RSA, whether it is for key exchange or authentication. If you only > want to disable cipher suites that use RSA for key exchange, the only > workaround is to list the whole cipher suite name, so an exact match is done, > but if there are many cipher suites that use that key exchange algorithm, > this becomes cumbersome. > > We should extend the syntax of the property to be able to distinguish between > different cryptographic primitives used in the cipher suite. I think adding a > new constraint something like: > > TLSCipherConstraint: kx | authn > > So when disabling TLS_RSA suites, you would add "RSA kx" to the property. This pull request has been closed without being integrated. ------------- PR: https://git.openjdk.org/jdk/pull/21577
