JDK-8212823 : Disable anon and NULL cipher suites
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 11.0.2,12
  • Submitted: 2018-10-23
  • Updated: 2019-09-24
  • Resolved: 2018-11-01
Related Reports
CSR :  

Disable the TLS anon (anonymous) and NULL cipher suites by default by adding them to the `jdk.tls.disabledAlgorithms` security property. 


The TLS anon and NULL cipher suites are used rarely and have security weaknesses. Anonymous suites are vulnerable to man-in-the-middle attacks. NULL suites do not provide confidentiality. RFC 7525 (Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)" says: "Implementations MUST NOT negotiate the cipher suites with NULL encryption." 

These suites are not enabled by default, so an application has to explicitly enable them using an API or the `jdk.tls.client.cipherSuites` or `jdk.tls.server.cipherSuites` system properties. However, adding them to the `jdk.tls.disabledAlgorithms` security property adds an extra layer of protection should they be used accidentally or maliciously.


Add `anon` and `NULL` to the `jdk.tls.disabledAlgorithms` security property so that it will be disabled by default. In order to use one of these suites, an application has to explicitly enable it AND remove it from the `jdk.tls.disabledAlgorithms` security property.


In the `java.security` file, change the value of the `jdk.tls.disabledAlgorithms` security property:

jdk.tls.disabledAlgorithms= /* whatever was before */, anon, NULL
Moved to Approved; may adjust the fixVersinn setting at some point depending on future policy discussions.

This is a request for a retroactive CSR approval. I accidentally pushed the fix to 12 before getting CSR approval. I would also like to backport this to 11.0.2 if I can meet the deadlines.