JDK-8219545 : Update the default enabled cipher suites preference
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 13
  • Submitted: 2019-02-21
  • Updated: 2019-03-21
  • Resolved: 2019-03-21
Related Reports
CSR :  
Description
Summary
-------
Propose to update the default enabled cipher suites preference in the SunJSSE provider.

Problem
-------
Forward secrecy is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised.  Forward secrecy protects past sessions against future compromises of secret keys or passwords.

In the current SunJSSE provider, the forward secrecy feature was considered, but with a lower priority.  For example, JDK prefers the better performance of key exchange and digital signature algorithm, in the order of 

> ECDHE-ECDSA, ECDHE-RSA, RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS.

 While if forward secrecy is preferable first, the order should be 

> ECDHE-ECDSA, ECDHE-RSA, DHE-RSA, DHE-DSS, ECDH-ECDSA, ECDH-RSA, RSA.

Meanwhile, the RSA key exchange algorithms and SHA-1 based HMAC algorithms have been deprecated in TLS 1.3.  Even for TLS 1.2 and prior versions, the priority of them should be decreased for safety as well.

Solution
--------
By updating the preference order of the default enabled cipher suites, change to prefer forward secrecy in the SunJSSE provider.

The following factors are considered:

 1. Increase the priority of forward secrecy cipher suites.
 2. Increase the priority of GCM mode cipher suites.
 3. Increase the priority of ECDHE cipher suites.
 4. Decrease the priority of cipher suites that use SHA-1 hash algorithm.
 5. Decrease the priority of RSA key exchange based cipher suites.

Specification
-------------
With this update, the order of cipher suites preference in the SunJSSE provider is changed as:

 -  Forward secrecy cipher suites.
   -  TLS 1.3 cipher suites.
     - TLS_AES_256_GCM_SHA384
     - TLS_AES_128_GCM_SHA256
     - TLS_CHACHA20_POLY1305_SHA256
   - Suite B compliant cipher suites
     - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
     - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
   -  Not Suite B,  but we want it to position the suite early in the list of 1.2 suites.
     - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
   -  AES_256(GCM) - ECDHE - forward secrecy cipher suites.
     - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
     - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256  
   -  AES_128(GCM) - ECDHE - orward secrecy cipher suites.
     - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
   -  AES_256(GCM) - DHE - forward secrecy cipher suites.
     - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
     - TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
     - TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
   -  AES_128(GCM) - DHE - orward secrecy cipher suites.
     - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
   -  AES_256(CBC) - ECDHE - forward secrecy cipher suites.
     - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
     - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
   -  AES_128(CBC) - ECDHE - forward secrecy cipher suites.
     - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
     - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
   -  AES_256(CBC) - DHE - forward secrecy cipher suites.
     - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
     - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
   -  AES_128(CBC) - DHE - forward secrecy cipher suites.
     - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
     - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
 -  not forward secrecy cipher suites.
   -  AES_256(GCM) - not forward secrecy cipher suites.
     - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
     - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
   -  AES_128(GCM) - not forward secrecy cipher suites.
     - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
     - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
   -  AES_256(CBC) - not forward secrecy cipher suites.
     - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
     - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
   -  AES_128(CBC) - not forward secrecy cipher suites.
     - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
     - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
 -  Cipher suites that use SHA-1, used for compatibility
   -  AES_256(CBC) - ECDHE - forward secrecy, using SHA-1
     - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
     - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
   -  AES_128(CBC) - ECDHE - forward secrecy, using SHA-1
     - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
     - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
   -  AES_256(CBC) - DHE - forward secrecy, using SHA-1
     - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
     - TLS_DHE_DSS_WITH_AES_256_CBC_SHA
   -  AES_128(CBC) - DHE - forward secrecy, using SHA-1
     - TLS_DHE_RSA_WITH_AES_128_CBC_SHA
     - TLS_DHE_DSS_WITH_AES_128_CBC_SHA
   -  AES_256(CBC) - not forward secrecy, using SHA-1
     - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
     - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
   -  AES_128(CBC) - not forward secrecy, using SHA-1
     - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
     - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
 - deprecated, used for compatibility only
   -  RSA - not forward secrecy
     - TLS_RSA_WITH_AES_256_GCM_SHA384
     - TLS_RSA_WITH_AES_128_GCM_SHA256
     - TLS_RSA_WITH_AES_256_CBC_SHA256
     - TLS_RSA_WITH_AES_128_CBC_SHA256
     - TLS_RSA_WITH_AES_256_CBC_SHA
     - TLS_RSA_WITH_AES_128_CBC_SHA
   -  3DES - deprecated
     - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
     - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     - SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
     - SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
     - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
     - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
     - SSL_RSA_WITH_3DES_EDE_CBC_SHA
Comments
I see a release note for this change is already planned; moving to Approved.
21-03-2019