JDK-8163326 : Update the default enabled cipher suites preference
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2016-08-06
  • Updated: 2021-11-02
  • Resolved: 2019-04-04
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 16 JDK 7 JDK 8 Other
11.0.13-oracleFixed 13 b16Fixed 16-poolResolved 7u321Fixed 8u311Fixed openjdk7uFixed
Related Reports
CSR :  
Relates :  
Sub Tasks
JDK-8219551 :  
At present, the SunJSSE provider prefers the better performance of key exchange and digital signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA, RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS.

Forward secrecy should be preferable first.  If the DHE ephemeral key limitation get resolved, the order should be changed to ECDHE-ECDSA, ECDHE-RSA, DHE-RSA, DHE-DSS, ECDH-ECDSA, ECDH-RSA, RSA.
Fix request [11u] I'd like to backport JDK-8163326 for parity with Oracle and align the list of cipher suites with other versions. The original patch applies clean but I had to update test/jdk/javax/net/ssl/sanity/ciphersuites/CipherSuitesInOrder.java test because of the list of ciphers was not updated during JDK-8234728 backport to 11u sun/security/ssl and javax/net/ssl tests passed successfully

URL: http://hg.openjdk.java.net/jdk/jdk/rev/fb25cd198a10 User: xuelei Date: 2019-04-04 21:19:47 +0000

Fix it when the FFDHE get more popular in the industry, probably when TLS 1.3 get released.