[rfc][jdk8u/jdk] Disable broken crypto algorithms (sane defaults)

Wed, 04 Mar 2015 12:28:40 -0800 

Hello there!
Please review this patch disabling deprecated, broken, or, insecure crypto algorithms. I think it is fair to say that these should be sane defaults by now, similar to what main web browser vendors do. 


AFAIKT, JDK 8 ships with only one legacy MD5withRSA signed certificate which is 
from the GTE CyberTrust Global Root CA. All other CAs have moved to SHA1 or 
SHA256 signatures. So this certificate would have to be replaced by package 
maintainers and/or release engineers.


If it is too late for JDK 8 then JDK 9 should definitely deploy with these 
defaults.

Regards,

Jacob

diff -r b1be6ed0ec4b src/share/lib/security/java.security-aix
--- a/src/share/lib/security/java.security-aix
+++ b/src/share/lib/security/java.security-aix
@@ -472,7 +472,7 @@
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
@@ -500,4 +500,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3
+jdk.tls.disabledAlgorithms=SSL, SSLv2, SSLv3,\
+                           MD2, MD5,\
+                           DES, DESede, DESedeWrap, RC2, RC4, ARCFOUR,\
+                           RSA keySize < 2048
diff -r b1be6ed0ec4b src/share/lib/security/java.security-linux
--- a/src/share/lib/security/java.security-linux
+++ b/src/share/lib/security/java.security-linux
@@ -472,7 +472,7 @@
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
@@ -500,4 +500,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3
+jdk.tls.disabledAlgorithms=SSL, SSLv2, SSLv3,\
+                           MD2, MD5,\
+                           DES, DESede, DESedeWrap, RC2, RC4, ARCFOUR,\
+                           RSA keySize < 2048
diff -r b1be6ed0ec4b src/share/lib/security/java.security-macosx
--- a/src/share/lib/security/java.security-macosx
+++ b/src/share/lib/security/java.security-macosx
@@ -475,7 +475,7 @@
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
@@ -503,4 +503,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3
+jdk.tls.disabledAlgorithms=SSL, SSLv2, SSLv3,\
+                           MD2, MD5,\
+                           DES, DESede, DESedeWrap, RC2, RC4, ARCFOUR,\
+                           RSA keySize < 2048
diff -r b1be6ed0ec4b src/share/lib/security/java.security-solaris
--- a/src/share/lib/security/java.security-solaris
+++ b/src/share/lib/security/java.security-solaris
@@ -474,7 +474,7 @@
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
@@ -502,4 +502,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3
+jdk.tls.disabledAlgorithms=SSL, SSLv2, SSLv3,\
+                           MD2, MD5,\
+                           DES, DESede, DESedeWrap, RC2, RC4, ARCFOUR,\
+                           RSA keySize < 2048
diff -r b1be6ed0ec4b src/share/lib/security/java.security-windows
--- a/src/share/lib/security/java.security-windows
+++ b/src/share/lib/security/java.security-windows
@@ -475,7 +475,7 @@
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
@@ -503,4 +503,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3
+jdk.tls.disabledAlgorithms=SSL, SSLv2, SSLv3,\
+                           MD2, MD5,\
+                           DES, DESede, DESedeWrap, RC2, RC4, ARCFOUR,\
+                           RSA keySize < 2048






















					Reply via email to