Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't filter out TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 #9274

Merged
merged 1 commit into from Jun 24, 2019

Conversation

Projects
None yet
5 participants
@slandelle
Copy link
Contributor

commented Jun 24, 2019

Motivation:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is supported since Java 8 (see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html) and belongs to the recommended configurations in many references, eg SSLabs (https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) or Google Cloud Platform Restricted Profile.

Modifications:

Add TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 to default ciphers list.

Result:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Don't filter out TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Motivation:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is supported since Java 8 (see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html) and belongs to the recommended configurations in many references, eg SSLabs (https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) or Google Cloud Platform Restricted Profile.

Modifications:

Add TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 to default ciphers list.

Result:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

@slandelle slandelle requested a review from normanmaurer Jun 24, 2019

@netty-bot

This comment has been minimized.

Copy link

commented Jun 24, 2019

Can one of the admins verify this patch?

@normanmaurer

This comment has been minimized.

Copy link
Member

commented Jun 24, 2019

@netty-bot test this please

@normanmaurer

This comment has been minimized.

Copy link
Member

commented Jun 24, 2019

@slandelle do we need to only add it on java8+ ?

@slandelle

This comment has been minimized.

Copy link
Contributor Author

commented Jun 24, 2019

I don't think so. It's just a filter, right? @Scottmitch can confirm.

@normanmaurer

This comment has been minimized.

Copy link
Member

commented Jun 24, 2019

@slandelle ah yeah you are right!

@carl-mastrangelo
Copy link
Member

left a comment

LGTM

@carl-mastrangelo

This comment has been minimized.

Copy link
Member

commented Jun 24, 2019

Seems to match what the Go TLS exposes.

@johnou

johnou approved these changes Jun 24, 2019

@normanmaurer normanmaurer added this to the 4.1.37.Final milestone Jun 24, 2019

@normanmaurer normanmaurer merged commit 039087e into 4.1 Jun 24, 2019

3 checks passed

pull request validation (centos6-java11) Build finished.
Details
pull request validation (centos6-java12) Build finished.
Details
pull request validation (centos6-java8) Build finished.
Details

@normanmaurer normanmaurer deleted the missing-cipher branch Jun 24, 2019

normanmaurer added a commit that referenced this pull request Jun 24, 2019

Don't filter out TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (#9274)
Motivation:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is supported since Java 8 (see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html) and belongs to the recommended configurations in many references, eg SSLabs (https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) or Google Cloud Platform Restricted Profile.

Modifications:

Add TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 to default ciphers list.

Result:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.
@slandelle

This comment has been minimized.

Copy link
Contributor Author

commented Jun 24, 2019

Thanks for merging

@normanmaurer

This comment has been minimized.

Copy link
Member

commented Jun 24, 2019

@slandelle no problem... thanks for bringing it up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.