JDK-8235350 : Remove SSLv2Hello and SSLv3 from default enabled TLS protocols
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 14
  • Submitted: 2019-12-04
  • Updated: 2019-12-07
  • Resolved: 2019-12-07
Related Reports
CSR :  
Description
Summary
-------

Remove SSLv2Hello and SSLv3 from the default enabled TLS protocols.

Problem
-------

SSLv3 has been deprecated with RFC 7568. We have already disabled it by default in 2015 by adding it to the jdk.tls.disabledAlgorithms security property. However, it is still in the default enabled list. We should remove it from the default enabled list as an additional cleanup.
 
Solution
--------

Remove SSLv2Hello and SSLv3 from the default enabled TLS protocols.

If SSLv3 is removed from the jdk.tls.disabledAlgorithms security property, the SSLSocket.getEnabledProtocols(), SSLServerSocket.getEnabledProtocols(), SSLEngine.getEnabledProtocols() and SSLParameters.getProtocols() API will return "TLSv1.3, TLSv1.2, TLSv1.1,  TLSv1". "SSLv3" will not be returned in this list.

If a client / server still needs to use this protocol they can do so by enabling it via a system property jdk.tls.client.protocols / jdk.tls.server.protocols or with the SSLSocket.setEnabledProtocols(), SSLServerSocket.setEnabledProtocols() and SSLEngine. setEnabledProtocols() API.

Specification
-------------

Webrev: http://cr.openjdk.java.net/~rhalade/8190492/webrev.00/

    --- old/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java	2019-12-04 13:00:19.000000000 -0800
    +++ new/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java	2019-12-04 13:00:18.000000000 -0800
    @@ -549,9 +549,7 @@
                     ProtocolVersion.TLS13,
                     ProtocolVersion.TLS12,
                     ProtocolVersion.TLS11,
    -                ProtocolVersion.TLS10,
    -                ProtocolVersion.SSL30,
    -                ProtocolVersion.SSL20Hello
    +                ProtocolVersion.TLS10
                 });
     
                 supportedCipherSuites = getApplicableSupportedCipherSuites(
    @@ -600,9 +598,7 @@
                         ProtocolVersion.TLS13,
                         ProtocolVersion.TLS12,
                         ProtocolVersion.TLS11,
    -                    ProtocolVersion.TLS10,
    -                    ProtocolVersion.SSL30,
    -                    ProtocolVersion.SSL20Hello
    +                    ProtocolVersion.TLS10
                 };
             }
         }
    @@ -619,8 +615,7 @@
             static {
                 clientDefaultProtocols = getAvailableProtocols(
                         new ProtocolVersion[] {
    -                ProtocolVersion.TLS10,
    -                ProtocolVersion.SSL30
    +                ProtocolVersion.TLS10
                 });
     
                 clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
    @@ -651,8 +646,7 @@
                 clientDefaultProtocols = getAvailableProtocols(
                         new ProtocolVersion[] {
                     ProtocolVersion.TLS11,
    -                ProtocolVersion.TLS10,
    -                ProtocolVersion.SSL30
    +                ProtocolVersion.TLS10
                 });
     
                 clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
    @@ -685,8 +679,7 @@
                         new ProtocolVersion[] {
                     ProtocolVersion.TLS12,
                     ProtocolVersion.TLS11,
    -                ProtocolVersion.TLS10,
    -                ProtocolVersion.SSL30
    +                ProtocolVersion.TLS10
                 });
     
                 clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
    @@ -719,8 +712,7 @@
                     ProtocolVersion.TLS13,
                     ProtocolVersion.TLS12,
                     ProtocolVersion.TLS11,
    -                ProtocolVersion.TLS10,
    -                ProtocolVersion.SSL30
    +                ProtocolVersion.TLS10
                 });
     
                 clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
    @@ -876,8 +868,7 @@
                         ProtocolVersion.TLS13,
                         ProtocolVersion.TLS12,
                         ProtocolVersion.TLS11,
    -                    ProtocolVersion.TLS10,
    -                    ProtocolVersion.SSL30
    +                    ProtocolVersion.TLS10
                 };
             }
     


Comments
Moving to Approved.
07-12-2019