Maintenance Notice

The site will be undergoing maintenance on 15th Dec 2017 21:00 PST to 16th Dec 2017 1:00 AM PST.
JDK-8076221 : Disable RC4 cipher suites
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component:
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2015-03-30
  • Updated: 2017-05-17
  • Resolved: 2015-04-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
8u60Fixed 9 b61Fixed
Related Reports
Relates :  
The proposal [1] to prohibit RC4 has been accepted by IETF. We should add RC4 to "jdk.tls.disabledAlgorithms" security property.

You can also use the command line option to override the jdk.tls.disabledAlgorithms security property and re-enable RC4, ex: java ... where is a file containing the property without RC4: jdk.tls.disabledAlgorithms=SSLv3

Suggested release note: RC4-based TLS ciphersuites (e.g. TLS_RSA_WITH_RC4_128_SHA) are now considered compromised and should no longer be used (see RFC 7465). Accordingly, RC4-based TLS ciphersuites have been deactivated by default in the Oracle JSSE implementation by adding "RC4" to "jdk.tls.disabledAlgorithms" security property, and by removing them from the default enabled ciphersuites list. These cipher suites can be reactivated by removing "RC4" form "jdk.tls.disabledAlgorithms" security property in the file or by dynamically calling Security.setProperty(), and also readding them to the enabled ciphersuite list using the SSLSocket/SSLEngine.setEnabledCipherSuites() methods.

release-note=yes: Better to talk about how to re-enable RC4 cipher suites if necessary. The description depends on whether JDK-8043202 is released in the same time or not. Please contact me for the release-note review.

Code review: