JDK-8211883 : Disable anon and NULL cipher suites
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2018-10-08
  • Updated: 2019-09-24
  • Resolved: 2018-10-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 7 JDK 8 Other
11.0.2Fixed 12 b18Fixed 7u211Fixed 8u201Fixed openjdk7uFixed
Related Reports
CSR :  
Relates :  
Relates :  
Sub Tasks
JDK-8212998 :  
The TLS anon (anonymous) and NULL cipher suites are used rarely and have security weaknesses. Anonymous suites are vulnerable to man-in-the-middle attacks. NULL suites do not provide confidentiality. RFC 7525 (Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)" says: "Implementations MUST NOT negotiate the cipher suites with NULL encryption." TLS 1.3 has removed them.
These suites are not enabled by default (i.e. they are not on the internal hardcoded list of ciphersuites that are available for TLS handshake), so an application has to explicitly enable them using an API or the "jdk.tls.client.cipherSuites" or "jdk.tls.server.cipherSuites" system properties. However, adding them to the "jdk.tls.disabledAlgorithms" security property adds an extra layer of protection should they be used accidentally or maliciously. This change is also consistent with prior crypto roadmap changes that have disabled insecure cipher suites.
Fix Request This fix improves the security of the platform by restricting these insecure cipher suites by default. This change should be backported to all JDK releases to provide a consistent security configuration. The fix is small (a one line configuration file change) and the risk should be very low as these suites are discouraged and rarely used. The JDK 12 patch applies cleanly and includes tests to ensure the cipher suites are properly disabled.