Please review this change to add the TLS anonymous and NULL cipher
suites to the "jdk.tls.disabledAlgorithms" security property.
These suites are used rarely and have security weaknesses. Anonymous
suites are vulnerable to man-in-the-middle attacks. NULL suites do not
provide confidentiality. RFC 7525 [1] says: "Implementations MUST NOT
negotiate the cipher suites with NULL encryption." Also, TLS 1.3 has
removed them.
These suites are not enabled by default, so an application has to
explicitly enable them using an API or the "jdk.tls.client.cipherSuites"
or "jdk.tls.server.cipherSuites" system properties. However, adding them
to the "jdk.tls.disabledAlgorithms" security property adds an extra
level of protection and additional configuration change in order to use
them.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8211883/webrev.00/
--Sean
[1] https://tools.ietf.org/html/rfc7525
