Regressions due to USN-2696-1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openjdk-6 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
openjdk-7 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Due to [CBCATT], some server administrators (including the webservices gateway for a major airline reservations provider) choose to disable CBC ciphersuites unless the protocol level is TLSv1.1 or later; [TLS1.1] introduced an explicit CBC IV to guard against such attacks. (See [TLS1.1] section 1.1) On such servers, disabling all CBC ciphersuites may leave only RC4 as a trusted cipher.
JDK7 introduced support for TLSv1.2, but chose not to enable it by default, due to a policy of not changing such defaults in minor revisions. JDK8 enables TLSv1.2 by default.
On Ubuntu, due to USN-2696-1, starting with the openjdk-
negotiation can fail.
Workaround: on OpenJDK7, it is possible to either use SSLContext.
References:
[TLS1.1] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
https:/
[CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
http://
Also affects JDK6; the situation is a little worse on 6, which does not support anything newer than TLS1.0