Bug ID: JDK-8163326 Update the default enabled cipher suites preference

Type: Enhancement
Component: security-libs
Sub-Component: javax.net.ssl

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2016-08-06
Updated: 2021-10-20
Resolved: 2019-04-04

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 7	JDK 8	Other
11.0.13Fixed	7u321Fixed	8u311Fixed	openjdk7uFixed

At present, the SunJSSE provider prefers the better performance of key exchange and digital signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA, RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS.

Forward secrecy should be preferable first.  If the DHE ephemeral key limitation get resolved, the order should be changed to ECDHE-ECDSA, ECDHE-RSA, DHE-RSA, DHE-DSS, ECDH-ECDSA, ECDH-RSA, RSA.

Fix request [11u] I'd like to backport JDK-8163326 for parity with Oracle and align the list of cipher suites with other versions. The original patch applies clean but I had to update test/jdk/javax/net/ssl/sanity/ciphersuites/CipherSuitesInOrder.java test because of the list of ciphers was not updated during JDK-8234728 backport to 11u sun/security/ssl and javax/net/ssl tests passed successfully

01-07-2021

URL: http://hg.openjdk.java.net/jdk/jdk/rev/fb25cd198a10 User: xuelei Date: 2019-04-04 21:19:47 +0000

04-04-2019

Fix it when the FFDHE get more popular in the industry, probably when TLS 1.3 get released.

06-09-2017

CSR :	JDK-8219545 - Update the default enabled cipher suites preference
Relates :	JDK-8204636 - Improvement of TLS 1.3 implementation