> These cipher suites do not preserve forward-secrecy and are not commonly > used. Other TLS implementations (ex: Rustls) do not support or enable these > suites by default. RFC 9325 [1] states that these suites should not be used. > The IETF Draft "Deprecating Obsolete Key Exchange Methods in TLS" [2] > mandates that these suites not be used. > > Some TLS_RSA_* cipher suites are already disabled because they use DES, 3DES, > RC4, or NULL, which are disabled. This action will disable all remaining > TLS_RSA cipher suites. > > [1] RFC 9325, Recommendations for Secure Use of TLS and DTLS > (https://www.rfc-editor.org/rfc/rfc9325.html#section-4.1-2.5.1): > "Implementations SHOULD NOT negotiate cipher suites based on RSA key > transport, a.k.a. "static RSA". Rationale: These cipher suites, which have > assigned values starting with the string "TLS_RSA_WITH_*", have several > drawbacks, especially the fact that they do not support forward secrecy." > [2] IETF Draft, Deprecating Obsolete Key Exchange Methods in TLS > (https://www.ietf.org/archive/id/draft-ietf-tls-deprecate-obsolete-kex-05.html#section-4): > "Clients MUST NOT offer and servers MUST NOT select RSA cipher suites in TLS > 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996], and > TLS 1.3 does not support static RSA [RFC8446].)"
Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains five additional commits since the last revision: - Merge branch 'master' into JDK-8245545_regex - Remove the empty lines added - Import order - Revert imports - 8245545: Disable TLS_RSA cipher suites ------------- Changes: - all: https://git.openjdk.org/jdk/pull/22163/files - new: https://git.openjdk.org/jdk/pull/22163/files/0d870a04..d95c0449 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=22163&range=04 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=22163&range=03-04 Stats: 71413 lines in 1055 files changed: 32320 ins; 34743 del; 4350 mod Patch: https://git.openjdk.org/jdk/pull/22163.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/22163/head:pull/22163 PR: https://git.openjdk.org/jdk/pull/22163
