openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #11065
[Bug 1482924] Re: Regressions due to USN-2696-1
** Description changed:
Due to [CBCATT], some server administrators (including the webservices
gateway for a major airline reservations provider) choose to disable CBC
ciphersuites unless the protocol level is TLSv1.1 or later; [TLS1.1]
introduced an explicit CBC IV to guard against such attacks. (See
[TLS1.1] section 1.1) On such servers, disabling all CBC ciphersuites
may leave only RC4 as a trusted cipher.
JDK7 introduced support for TLSv1.2, but chose not to enable it by
default, due to a policy of not changing such defaults in minor
revisions. JDK8 enables TLSv1.2 by default.
- On Ubuntu, due to USN-2696-1, starting with the openjdk-7-jre-
- 7u79-2.5.6-0ubuntu1.12.04.1 package, RC4 is disabled by default but the
- protocol default remains TLSv1.0.
+ On Ubuntu, due to USN-2696-1, starting with the openjdk-7-jre-7u79-2.5.6-0ubuntu1.12.04.1 package, RC4 is disabled by default but the protocol default remains TLSv1.0. This can leave no remaining trusted ciphers, and
+ negotiation can fail.
Workaround: on OpenJDK7, it is possible to either use
SSLContext.getInstance("TLSv1.2") or re-enable RC4 via
SSLSocket.setEnabledCipherSuites(), but neither workaround is viable if
one doesn't have access to 3rd-party source code.
References:
- [TLS1.1] Dierks, T. and E. Rescorla, "The Transport Layer Security
- (TLS) Protocol Version 1.1", RFC 4346, April 2006.
- https://www.ietf.org/rfc/rfc4346.txt
+ [TLS1.1] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.1", RFC 4346, April 2006.
+ https://www.ietf.org/rfc/rfc4346.txt
- [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
- Problems and Countermeasures",
- http://www.openssl.org/~bodo/tls-cbc.txt.
+ [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
+ Problems and Countermeasures",
+ http://www.openssl.org/~bodo/tls-cbc.txt.
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1482924
Title:
Regressions due to USN-2696-1
Status in openjdk-7 package in Ubuntu:
New
Bug description:
Due to [CBCATT], some server administrators (including the webservices
gateway for a major airline reservations provider) choose to disable
CBC ciphersuites unless the protocol level is TLSv1.1 or later;
[TLS1.1] introduced an explicit CBC IV to guard against such attacks.
(See [TLS1.1] section 1.1) On such servers, disabling all CBC
ciphersuites may leave only RC4 as a trusted cipher.
JDK7 introduced support for TLSv1.2, but chose not to enable it by
default, due to a policy of not changing such defaults in minor
revisions. JDK8 enables TLSv1.2 by default.
On Ubuntu, due to USN-2696-1, starting with the openjdk-7-jre-7u79-2.5.6-0ubuntu1.12.04.1 package, RC4 is disabled by default but the protocol default remains TLSv1.0. This can leave no remaining trusted ciphers, and
negotiation can fail.
Workaround: on OpenJDK7, it is possible to either use
SSLContext.getInstance("TLSv1.2") or re-enable RC4 via
SSLSocket.setEnabledCipherSuites(), but neither workaround is viable
if one doesn't have access to 3rd-party source code.
References:
[TLS1.1] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
https://www.ietf.org/rfc/rfc4346.txt
[CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
Problems and Countermeasures",
http://www.openssl.org/~bodo/tls-cbc.txt.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1482924/+subscriptions
References