On Thu, 16 Jul 2026 15:22:04 GMT, Sean Mullan <[email protected]> wrote:

>> src/java.base/share/conf/security/java.security line 749:
>> 
>>> 747: #     the key exchange algorithm "ECDH_ECDSA" will disable all cipher 
>>> suites
>>> 748: #     that contain ECDH_ECDSA as the key exchange algorithm. 
>>> Similarly, the
>>> 749: #     bulk encryption algorithm "3DES_EDE_CBC" will disable all cipher 
>>> suites
>> 
>> - `3DES_EDE_CBC` is already disabled by default in 
>> `jdk.tls.disabledAlgorithms`, should we use a more realistic example like 
>> `AES_128_CBC`?
>> - Should we also include an example for `HmacSHA256`? It's far from being 
>> obvious that such algorithm disables all cipher suites ending with `_SHA256`.
>
> The reason I chose 3DES_EDE_CBC is because it is a case where one can see 
> already that we have implemented something that is not specified. But I'm not 
> tied to it, I can switch it to AES_128_CBC.
> 
> As for HmacSHA256 disabling cipher suites with SHA256 as the Mac in the name, 
> I agree that is not obvious. Let me think about it as it is a bit awkward to 
> document. It's a corner case but might be useful where you want to disable a 
> Mac but not the algorithm if used as the hash algorithm in other places, like 
> certificate signatures.

Added a sentence for the Hmac case in 
https://github.com/openjdk/jdk/pull/31933/changes/32f6574eb33e486f670845b70920cf160c857503.

Also added an example for sub-element matching.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/31933#discussion_r3598374629

Reply via email to