JDK-8162362 : Introduce system property to control enabled ciphersuites
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 6u115
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2016-07-22
  • Updated: 2019-02-18
  • Resolved: 2016-08-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9 Other
7u211Fixed 8u182Resolved 9 b132Fixed openjdk7uFixed
Sub Tasks
JDK-8162786 :  
Release Note: Support for Customization of Default Enabled Cipher Suites via System Properties - Closed
JDK-8162787 :  
Documentation the customization of the default enabled cipher suites via system properties - Resolved
Description
One of the changes in 6u105 is disabling SSL_RSA_WITH_DES_CBC_SHA. The cipher shows up as one of the supported ciphers, however any attempt to enable this cipher fails.

If a cipher suite is getting weak or vulnerable, it is normally removed from the default enabled list in JDK.  The compatibility impact of the removing is normally minimal as if there are other available cipher suites enabled.

However, some applications may want to support the disabled cipher suites in JDK.  If the source code is not accessible, there is not much workaround to have the cipher suite back to work if it is removed from the default enabled list in JDK.
Comments
FC Extension Request: CCC and Code review is in progress. In SSL/TLS/DTLS protocols, cipher suites define a suite of crypto algorithms that used to establish a secure connection. If an application does not specify the cipher suites used for the connection, the JSSE provider default enabled cipher suites will be used instead in JDK. If a cipher suite is getting weak or vulnerable, it is normally removed from the default enabled list in JDK. The compatibility impact of the removing is normally minimal as if there are other available cipher suites enabled. However, some applications may want to support the disabled cipher suites in JDK. If the source code is not accessible, there is not much workaround to have the cipher suite back to work if it is removed from the default enabled list in JDK. This fix introduces two new system properties, which can be used to customize the default enabled cipher suites. This is important for those applications that cannot update source code but still have to use disabled cipher suites. The risk of this update is minimal. No behavior update if applications do not set the properties. Hopefully the fix can be pushed within 1-2 days of approval if the CCC and code review get approved.
29-07-2016
Review: http://mail.openjdk.java.net/pipermail/security-dev/2016-July/014501.html
29-07-2016
6u105 release notes : http://www.oracle.com/technetwork/java/javase/6u105-relnotes-2703317.html now has a "Weak DES based ciphersuites no longer enabled by default" section.
28-07-2016
7-na since these weak DES ciphersuites were not enabled in GA release
22-07-2016