Bug ID: JDK-8076221 Disable RC4 cipher suites

JDK-8076221 : Disable RC4 cipher suites

Details

Type:	Enhancement	Submit Date:	2015-03-30
Status:	Closed	Updated Date:	2017-05-17
Project Name:	JDK	Resolved Date:	2015-04-15
Component:	security-libs	OS:
Sub-Component:	javax.net.ssl	CPU:
Priority:	P3
Resolution:	Fixed
Affected Versions:
Fixed Versions:	9 (b61)

Related Reports

Backport:	JDK-8077220 - Disable RC4 cipher suites
Relates:	JDK-8077924 - sun/management/jmxremote/bootstrap/RmiSslBootstrapTest.sh has a dependence on RC4 ciphersuites

Sub Tasks

Description

The proposal [1] to prohibit RC4 has been accepted by IETF. We should add RC4 to "jdk.tls.disabledAlgorithms" security property.

[1] https://tools.ietf.org/html/rfc7465

Comments

You can also use the -Djava.security.properties command line option to override the jdk.tls.disabledAlgorithms security property and re-enable RC4, ex: java -Djava.security.properties=my.java.security ... where my.java.security is a file containing the property without RC4: jdk.tls.disabledAlgorithms=SSLv3
2015-05-27
Suggested release note: RC4-based TLS ciphersuites (e.g. TLS_RSA_WITH_RC4_128_SHA) are now considered compromised and should no longer be used (see RFC 7465). Accordingly, RC4-based TLS ciphersuites have been deactivated by default in the Oracle JSSE implementation by adding "RC4" to "jdk.tls.disabledAlgorithms" security property, and by removing them from the default enabled ciphersuites list. These cipher suites can be reactivated by removing "RC4" form "jdk.tls.disabledAlgorithms" security property in the java.security file or by dynamically calling Security.setProperty(), and also readding them to the enabled ciphersuite list using the SSLSocket/SSLEngine.setEnabledCipherSuites() methods.
2015-05-19
release-note=yes: Better to talk about how to re-enable RC4 cipher suites if necessary. The description depends on whether JDK-8043202 is released in the same time or not. Please contact me for the release-note review.
2015-05-06
Code review: http://mail.openjdk.java.net/pipermail/security-dev/2015-April/011991.html
2015-04-14

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together