8245545: Disable TLS_RSA cipher suites

[TheMangovnik]

Backport of JDK-8245545 - Disable TLS_RSA cipher suites

Some TLS suites do not preserve forward-secrecy and are not commonly used - and should not be used.

Not clean back port. This includes:

• Selection of disabled tests and some include that is in jdk11 but not in jdk17.
• Changed indentation of edited block of string defining disabled cipher suites.
• Bunch of copyright notices.

Tested on Fedora 43:

• gtests passed
• T1 have same fails before and after the back port -> not related to this.
• jtreg:test/jdk/sun/security passed.
• jtreg:test/jdk/javax/net/ssl passed.
• Github Actions passed.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8245545 needs maintainer approval
• Change requires CSR request JDK-8344257 to be approved

Issues

• JDK-8245545: Disable TLS_RSA cipher suites (Enhancement - P3 - Approved)
• JDK-8344257: Disable TLS_RSA cipher suites (CSR)

Reviewers

• Andrew John Hughes (@gnu-andrew - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/3124/head:pull/3124
$ git checkout pull/3124

Update a local copy of the PR:
$ git checkout pull/3124
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/3124/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3124

View PR using the GUI difftool:
$ git pr show -t 3124

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/3124.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back TheMangovnik! A progress list of the required criteria for merging this PR into pr/3123 will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@TheMangovnik This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8245545: Disable TLS_RSA cipher suites

Reviewed-by: andrew

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 3 new commits pushed to the master branch:

• 1939efc: 8213781: web page background renders blue in JEditorPane
• c5cef8c: 8257709: C1: Double assignment in InstructionPrinter::print_stack
• 3cc55c3: 8368982: Test sun/security/tools/jarsigner/EC.java completed and timed out

Please see this link for an up-to-date comparison between the source branch of this pull request and the master branch.
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@gnu-andrew) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 05: Full - Incremental (a8c23aea)
• 04: Full - Incremental (f43f57ec)
• 03: Full - Incremental (95da7d4c)
• 02: Full - Incremental (26a5bb72)
• 01: Full - Incremental (c1389344)
• 00: Full (c1389344)

[openjdk-notifier]

The parent pull request that this pull request depends on has now been integrated and the target branch of this pull request has been updated. This means that changes from the dependent pull request can start to show up as belonging to this pull request, which may be confusing for reviewers. To remedy this situation, simply merge the latest changes from the new target branch into this pull request by running commands similar to these in the local repository for your personal fork:

git checkout backport/JDK-8245545
git fetch https://git.openjdk.org/jdk11u-dev.git master
git merge FETCH_HEAD
# if there are conflicts, follow the instructions given by git merge
git commit -m "Merge master"
git push

[gnu-andrew]

Most of this looks ok. I see three instances with changes that shouldn't be there:

1. test/jdk/javax/net/ssl/SSLEngine/Basics.java acquires some refactoring from JDK-8298867. This should just add the lines, as in other tests in 8245545, to re-enable TLS_RSA_* i.e.

+        // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*");

2. test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java brings in a whole bunch of indentation changes from JDK-8301379. It should just add the additional algorithms as in 8245545.

3. test/jdk/sun/security/pkcs11/fips/TestTLS12.java alters the existing Red Hat copyright line for no apparent reason.

JDK-8298867 & JDK-8301379 are both test changes that are in Oracle's 11u and could be backported fully. Given we enter rampdown at the end of this week though, I would like to get this change in and those test changes can be done later if desired. We shouldn't be including chunks of them in this backport though.

[TheMangovnik]

1. Refactor from different issue was removed.
2. Indentation from different issue was removed.
3. Change in copyright was reverted.

This should address all the points you raised. Please let me know if I missed something.

JDK-8298867 & JDK-830137 -> I will look into them later.

[gnu-andrew]

1. Refactor from different issue was removed.

   2. Indentation from different issue was removed.

   3. Change in copyright was reverted.

This should address all the points you raised. Please let me know if I missed something.

Thanks for the changes. This version looks a lot better. The only thing I spotted was that disabled_ciphersuites is still being changed from private to public in DisabledAlgorithms.java. Other than that, this is good to go.

JDK-8298867 & JDK-830137 -> I will look into them later.

No rush on these. I just thought that, if you wanted to bring over these changes, this is the way to do it.

[TheMangovnik]

The undesired access modifier change was reverted.

[gnu-andrew]

Great, thanks.

[openjdk]

⚠️ @TheMangovnik This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[TheMangovnik]

/approval request Backport of JDK-8245545 - Disable TLS_RSA cipher suites. Related tests are passing. GHA passing.

[openjdk]

@TheMangovnik
8245545: The approval request has been created successfully.

[gnu-andrew]

/approve yes

[openjdk]

@gnu-andrew
8245545: The approval request has been approved.

[TheMangovnik]

/integrate

[openjdk]

@TheMangovnik
Your change (at version a8c23ae) is now ready to be sponsored by a Committer.

[gnu-andrew]

/sponsor

[openjdk]

Going to push as commit 463e25f.
Since your change was applied there have been 3 commits pushed to the master branch:

• 1939efc: 8213781: web page background renders blue in JEditorPane
• c5cef8c: 8257709: C1: Double assignment in InstructionPrinter::print_stack
• 3cc55c3: 8368982: Test sun/security/tools/jarsigner/EC.java completed and timed out

Your commit was automatically rebased without conflicts.

[openjdk]

@gnu-andrew @TheMangovnik Pushed as commit 463e25f.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.