JDK-8217579 : TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 7u211,8u201,11.0.2,11.0.3,12
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2019-01-22
  • Updated: 2021-04-12
  • Resolved: 2019-01-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 13 JDK 7 JDK 8 Other
11.0.3-oracleFixed 12Fixed 13 b06Fixed 7u221Fixed 8u211Fixed openjdk7uFixed
Related Reports
Duplicate :  
JDK-8207784 - CheckCipherSuites.java test is ignored
Relates :  
JDK-8211883 - Disable anon and NULL cipher suites
Description
When listing  the  default and available ciphers  with  8u202  (testcase listed below)  One can notice that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone. With 8u192 it was still in the list of default and available ciphers.

It appears, "8211883: Disable anon and NULL cipher suites" is the reason TLS_EMPTY_RENEGOTIATION_INFO_SCSV is gone now.

It looks like some of our Tomcat users are running into this issue because  
TLS_EMPTY_RENEGOTIATION_INFO_SCSV   plays some role  there .

Full JDK Versions
-----------------
JDK 7u211 and later, 8u201 and later, 11.0.2 and later


Testcase & Reproduction Instructions
------------------------------------
import java.util.*;
import javax.net.ssl.SSLServerSocketFactory;
 
public class Ciphers
{
    public static void main(String[] args)
        throws Exception
    {
        SSLServerSocketFactory ssf =
SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
 
        String[] defaultCiphers = ssf.getDefaultCipherSuites();
        String[] availableCiphers = ssf.getSupportedCipherSuites();
 
        System.out.println("default ciphers:");
        System.out.println("------------------------------");
        for (String s: defaultCiphers) {
            System.out.println(s);
        }
 
        System.out.println("available ciphers:");
        System.out.println("------------------------------");
        for (String s: availableCiphers) {
            System.out.println("available:" + s);
        }
    }
}

Workaround
----------
Remove NULL from jdk.tls.disabledAlgorithm

Related Bugs, Forum Threads
---------------------------
https://mail.openjdk.java.net/pipermail/security-dev/2019-January/019237.html
Comments
Fix request: This is an important fix for a regression which needs to go to JDK 11 updates. The patch applied cleanly but the test case had to be modified a little to make it succeed in the JDK11 environment. The review thread is here: https://mail.openjdk.java.net/pipermail/security-dev/2019-January/019271.html
31-01-2019