Bug ID: JDK-6996365 Evaluate the priorities of cipher suites

Type: Bug
Component: security-libs
Sub-Component: javax.net.ssl
Affected Version: 7

Priority: P3
Status: Closed
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2010-11-01
Updated: 2014-10-03
Resolved: 2011-06-07

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 7
7 b126Fixed

During the implementation of TLS 1.1 and 1.2, we added new cipher suites and remove some old cipher suites from the default enabled lists. As time is not enough, we did not evaluate the best preference of those cipher suites priorities carefully. We need tale time to re-evaluate the priorities in JDK 7.

EVALUATION http://hg.openjdk.java.net/jdk7/build/jdk/rev/0d826185a92e
17-01-2011
EVALUATION noreg, the existing tests already cover the ciher suite preference cases.
22-12-2010
PUBLIC COMMENTS Criteria and priorities: 1. CipherSuites for KRB5 need additional KRB5 service configuration, and these suites are not common in practice, so we put KRB5 based cipher suites at the end of the supported list. 2. If a cipher suite has been obsoleted, we put it at the end of the list. 3. Prefer the stronger bulk cipher, in the order of AES_256, AES_128, RC-4, 3DES-EDE, DES, RC4_40, DES40, NULL. 4. Prefer the stronger MAC algorithm, in the order of SHA384, SHA256, SHA, MD5. 5. Prefer the better performance of key exchange and digital signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA, RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous.
22-12-2010
EVALUATION Make sure to let docs know the final ordering.
06-12-2010