JDK-8236730 : Release Note: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u281,8u271,11.0.9-oracle,14
  • Priority: P3
  • Status: Closed
  • Resolution: Delivered
  • Submitted: 2020-01-07
  • Updated: 2020-09-15
  • Resolved: 2020-01-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 14 JDK 7 JDK 8
11.0.9-oracleResolved 14Resolved 7u281Resolved 8u271Resolved
Description
Weak named curves are disabled by default by adding them to the following `disabledAlgorithms` security properties: `jdk.tls.disabledAlgorithms`,  `jdk.certpath.disabledAlgorithms`, and `jdk.jar.disabledAlgorithms`.  The named curves are listed below.

With 47 weak named curves to be disabled, adding individual named curves to each `disabledAlgorithms` property would be overwhelming. To relieve this, a new security property, `jdk.disabled.namedCurves`, is implemented that can list the named curves common to all of the `disabledAlgorithms` properties. To use the new property in the `disabledAlgorithms` properties, precede the full property name with the keyword `include`.  Users can still add individual named curves to `disabledAlgorithms` properties separate from this new property.  No other properties can be included in the `disabledAlgorithms` properties.

To restore the named curves, remove the `include jdk.disabled.namedCurves` either from specific or from all  `disabledAlgorithms` security properties.
To restore one or more curves, remove the specific named curve(s) from the `jdk.disabled.namedCurves` property.

Curves that are disabled through `jdk.disabled.namedCurves` include the following:
secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1,  secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3,  X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

Curves that remain enabled are:  secp256r1, secp384r1, secp521r1, X25519, X448