On Thu, 16 Jul 2026 13:18:18 GMT, Sean Mullan <[email protected]> wrote:

> Improve the definition of the jdk.tls.disabledAlgorithm security property to 
> specify how components of the cipher suite can be disabled. This has never 
> been clearly specified.
> 
> ---------
> - [x] I confirm that I make this contribution in accordance with the [OpenJDK 
> Interim AI Policy](https://openjdk.org/legal/ai).

src/java.base/share/conf/security/java.security line 749:

> 747: #     the key exchange algorithm "ECDH_ECDSA" will disable all cipher 
> suites
> 748: #     that contain ECDH_ECDSA as the key exchange algorithm. Similarly, 
> the
> 749: #     bulk encryption algorithm "3DES_EDE_CBC" will disable all cipher 
> suites

- `3DES_EDE_CBC` is already disabled by default in 
`jdk.tls.disabledAlgorithms`, should we use a more realistic example like 
`AES_128_CBC`?
- Should we also include an example for `HmacSHA256`? It's far from being 
obvious that such algorithm disables all cipher suites anding with `_SHA256`.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/31933#discussion_r3596612951

Reply via email to