openjdk team mailing list archive

Thread
Date

[Bug 1482924] Re: Regressions due to USN-2696-1

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Tiago Stürmer Daitx <1482924@xxxxxxxxxxxxxxxxxx>
Date: Thu, 27 Aug 2015 14:06:18 -0000
Reply-to: Bug 1482924 <1482924@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I have created OpenJDK 6 packages for Precise and Wily (should run on
Vivid as well) with TLS 1.1 enabled by default and a OpenJDK 7 package
for Wily with TLS 1.2 enabled by default as well. If you can, please
test those and let me know the results.

$ sudo add-apt-repository ppa:tdaitx/openjdk

See repo at https://launchpad.net/~tdaitx/+archive/ubuntu/openjdk


As for RC4, it has been fully disabled upstream now [1,2,3,4]. In particular:
* 8043200: Decrease the preference mode of RC4 in the enabled cipher suite list
* 8050158: Introduce system property to maintain RC4 preference order
* 8043201: Deprecate RC4 in SunJSSE provider
* 8043202: Prohibit RC4 cipher suites

In order to use RC4 it seems that you need to set the system property
"jdk.tls.preserveRC4CipherSuites" to "true" and make sure the algorithm
you want to use is listed under "jdk.tls.legacyAlgorithms" in the
java.security file (for Ubuntu it will be at
/etc/java-7-openjdk/security/java.security or
/etc/java-6-openjdk/security/java.security). Algorithms in
jdk.tls.legacyAlgorithms will be tried only after exhausting all other
options.

[1] http://blog.fuseyism.com/index.php/2015/07/30/security-icedtea-1-13-8-for-openjdk-6-released/
[2] http://blog.fuseyism.com/index.php/2015/07/23/security-icedtea-2-5-6-for-openjdk-7-released/
[3] http://mail.openjdk.java.net/pipermail/jdk6-dev/2015-August/003540.html
[4] http://mail.openjdk.java.net/pipermail/jdk7u-dev/2015-August/010390.html

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1482924

Title:
  Regressions due to USN-2696-1

Status in openjdk-6 package in Ubuntu:
  New
Status in openjdk-7 package in Ubuntu:
  New

Bug description:
  Due to [CBCATT], some server administrators (including the webservices
  gateway for a major airline reservations provider) choose to disable
  CBC ciphersuites unless the protocol level is TLSv1.1 or later;
  [TLS1.1] introduced an explicit CBC IV to guard against such attacks.
  (See [TLS1.1] section 1.1) On such servers, disabling all CBC
  ciphersuites may leave only RC4 as a trusted cipher.

  JDK7 introduced support for TLSv1.2, but chose not to enable it by
  default, due to a policy of not changing such defaults in minor
  revisions. JDK8 enables TLSv1.2 by default.

  On Ubuntu, due to USN-2696-1, starting with the openjdk-7-jre-7u79-2.5.6-0ubuntu1.12.04.1 package, RC4 is disabled by default but the protocol default remains TLSv1.0. This can leave no remaining trusted ciphers, and
  negotiation can fail.

  Workaround: on OpenJDK7, it is possible to either use
  SSLContext.getInstance("TLSv1.2") or re-enable RC4 via
  SSLSocket.setEnabledCipherSuites(), but neither workaround is viable
  if one doesn't have access to 3rd-party source code.

  References:

     [TLS1.1]   Dierks, T. and E. Rescorla, "The Transport Layer Security
                (TLS) Protocol Version 1.1", RFC 4346, April 2006.
                https://www.ietf.org/rfc/rfc4346.txt

     [CBCATT]   Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
                Problems and Countermeasures",
                http://www.openssl.org/~bodo/tls-cbc.txt.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/1482924/+subscriptions

References

[Bug 1482924] [NEW] Regressions due to USN-2696-1
From: Nathan Bryant, 2015-08-08