JDK-8076221 : Disable RC4 cipher suites
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2015-03-30
  • Updated: 2018-10-08
  • Resolved: 2015-04-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
8u60Fixed 9 b61Fixed
Related Reports
Relates :  
Relates :  
The proposal [1] to prohibit RC4 has been accepted by IETF. We should add RC4 to "jdk.tls.disabledAlgorithms" security property.

[1] https://tools.ietf.org/html/rfc7465
You can also use the -Djava.security.properties command line option to override the jdk.tls.disabledAlgorithms security property and re-enable RC4, ex: java -Djava.security.properties=my.java.security ... where my.java.security is a file containing the property without RC4: jdk.tls.disabledAlgorithms=SSLv3

Suggested release note: RC4-based TLS ciphersuites (e.g. TLS_RSA_WITH_RC4_128_SHA) are now considered compromised and should no longer be used (see RFC 7465). Accordingly, RC4-based TLS ciphersuites have been deactivated by default in the Oracle JSSE implementation by adding "RC4" to "jdk.tls.disabledAlgorithms" security property, and by removing them from the default enabled ciphersuites list. These cipher suites can be reactivated by removing "RC4" form "jdk.tls.disabledAlgorithms" security property in the java.security file or by dynamically calling Security.setProperty(), and also readding them to the enabled ciphersuite list using the SSLSocket/SSLEngine.setEnabledCipherSuites() methods.

release-note=yes: Better to talk about how to re-enable RC4 cipher suites if necessary. The description depends on whether JDK-8043202 is released in the same time or not. Please contact me for the release-note review.

Code review: http://mail.openjdk.java.net/pipermail/security-dev/2015-April/011991.html