← Back to team overview

openjdk team mailing list archive

[Bug 1482924] Re: Regressions due to USN-2696-1

 

Issue JDK-4873188 [1] asked for TLS 1.1 support for OpenJDK 1.4, 5, 6,
and 7. It was implemented for OpenJDK 7 [2] and recently backported to 6
[3].

An issue to add TLS 1.2 support to OpenJDK 1.4, 5, and 6 was tracked by
JDK-6916074 [4], but support for it was only added for OpenJDK 7 [5].

It is not clear at this time if TLS 1.2 is supported by OpenJDK 6. The
TLS 1.1 backport [3] seems to have integrated TLS 1.2 support code (but
with a seemly hard-coded max for TLS 1.1) and a fix for a TLS 1.2 bug
was recently incorporated [6] which includes a test for "SSLv3",
"TLSv1", "TLSv1.1", and "TLSv1.2".

JDK-7093640 [7] tracked the effort to enable TLS 1.2 by default for
OpenJDK 7 and 8, but was only enabled for OpenJDK 8 [8] and 9 [9]. The
rationale at the time [see 7] was to keep it disabled for OpenJDK 7 due
to existing "version intolerant" servers - ie. "TLS server deployments
that do not accept higher TLS version numbers, which is generally
version TLS v1.0".


As for RC4, disabling it was originally reported in JDK-8076221 [10] and executed by S8043202. For OpenJDK 7, that change was integrated into IcedTea 2.5 JDK forest [11] and released in 2.5.6 [12] and 2.6.1 [13]. OpenJDK 6 got it in IcedTea 1.13.8 release [14].

References:
[1] https://bugs.openjdk.java.net/browse/JDK-4873188
[2] http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/93cd7e89adb8
[3] http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/0ddb5d39438d

[4] https://bugs.openjdk.java.net/browse/JDK-6916074
[5] http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/9d6a9f65d2bf

[6] http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/042e39055298

[7] https://bugs.openjdk.java.net/browse/JDK-7093640
[8] https://bugs.openjdk.java.net/browse/JDK-8031273
[9] https://bugs.openjdk.java.net/browse/JDK-8030791

[10] https://bugs.openjdk.java.net/browse/JDK-8076221
[11] http://icedtea.classpath.org/hg/release/icedtea7-forest-2.5/jdk/rev/0982455b2f4d
[12] http://blog.fuseyism.com/index.php/2015/07/23/security-icedtea-2-5-6-for-openjdk-7-released/
[13] http://blog.fuseyism.com/index.php/2015/07/21/security-icedtea-2-6-1-for-openjdk-7-released/
[14] http://blog.fuseyism.com/index.php/2015/07/30/security-icedtea-1-13-8-for-openjdk-6-released/

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1482924

Title:
  Regressions due to USN-2696-1

Status in openjdk-6 package in Ubuntu:
  New
Status in openjdk-7 package in Ubuntu:
  New

Bug description:
  Due to [CBCATT], some server administrators (including the webservices
  gateway for a major airline reservations provider) choose to disable
  CBC ciphersuites unless the protocol level is TLSv1.1 or later;
  [TLS1.1] introduced an explicit CBC IV to guard against such attacks.
  (See [TLS1.1] section 1.1) On such servers, disabling all CBC
  ciphersuites may leave only RC4 as a trusted cipher.

  JDK7 introduced support for TLSv1.2, but chose not to enable it by
  default, due to a policy of not changing such defaults in minor
  revisions. JDK8 enables TLSv1.2 by default.

  On Ubuntu, due to USN-2696-1, starting with the openjdk-7-jre-7u79-2.5.6-0ubuntu1.12.04.1 package, RC4 is disabled by default but the protocol default remains TLSv1.0. This can leave no remaining trusted ciphers, and
  negotiation can fail.

  Workaround: on OpenJDK7, it is possible to either use
  SSLContext.getInstance("TLSv1.2") or re-enable RC4 via
  SSLSocket.setEnabledCipherSuites(), but neither workaround is viable
  if one doesn't have access to 3rd-party source code.

  References:

     [TLS1.1]   Dierks, T. and E. Rescorla, "The Transport Layer Security
                (TLS) Protocol Version 1.1", RFC 4346, April 2006.
                https://www.ietf.org/rfc/rfc4346.txt

     [CBCATT]   Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
                Problems and Countermeasures",
                http://www.openssl.org/~bodo/tls-cbc.txt.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/1482924/+subscriptions


References