On Thu, 16 Jul 2026 13:18:18 GMT, Sean Mullan <[email protected]> wrote:
> Improve the definition of the jdk.tls.disabledAlgorithm security property to > specify how components of the cipher suite can be disabled. This has never > been clearly specified. > > --------- > - [x] I confirm that I make this contribution in accordance with the [OpenJDK > Interim AI Policy](https://openjdk.org/legal/ai). src/java.base/share/conf/security/java.security line 749: > 747: # the key exchange algorithm "ECDH_ECDSA" will disable all cipher > suites > 748: # that contain ECDH_ECDSA as the key exchange algorithm. Similarly, > the > 749: # bulk encryption algorithm "3DES_EDE_CBC" will disable all cipher > suites - `3DES_EDE_CBC` is already disabled by default in `jdk.tls.disabledAlgorithms`, should we use a more realistic example like `AES_128_CBC`? - Should we also include an example for `HmacSHA256`? It's far from being obvious that such algorithm disables all cipher suites anding with `_SHA256`. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/31933#discussion_r3596612951
