infernap12/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2026-05-21 02:48:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

8028518: Increase the priorities of GCM cipher suites

Browse Source 
Reviewed-by: wetmore
This commit is contained in:
Xue-Lei Andrew Fan 2014-01-13 20:56:18 -08:00
parent 45609addf6
commit 15c7afef94
2 changed files with 55 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
jdk/src/share/classes/sun/security/ssl/CipherSuite.java
View File

@ -985,13 +985,45 @@ final class CipherSuite implements Comparable<CipherSuite> {
// ID Key Exchange Cipher A obs suprt PRF
// ====== ============ ========= = === ===== ========
// Placeholder for cipher suites in GCM mode.
// Suite B compliant cipher suites, see RFC 6460.
//
// For better compatibility and interoperability, we decrease the
// priority of cipher suites in GCM mode for a while as GCM
// technologies mature in the industry. Eventually we'll move
// the GCM suites here.
// Note that, at present this provider is not Suite B compliant. The
// preference order of the GCM cipher suites does not follow the spec
// of RFC 6460. In this section, only two cipher suites are listed
// so that applications can make use of Suite-B compliant cipher
// suite firstly.
add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
0xc02c, --p, K_ECDHE_ECDSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
0xc02b, --p, K_ECDHE_ECDSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
// AES_256(GCM)
add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
0xc030, --p, K_ECDHE_RSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_RSA_WITH_AES_256_GCM_SHA384",
0x009d, --p, K_RSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
0xc02e, --p, K_ECDH_ECDSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
0xc032, --p, K_ECDH_RSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
0x009f, --p, K_DHE_RSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
0x00a3, --p, K_DHE_DSS, B_AES_256_GCM, T, max, tls12, P_SHA384);
// AES_128(GCM)
add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
0xc02f, --p, K_ECDHE_RSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
add("TLS_RSA_WITH_AES_128_GCM_SHA256",
0x009c, --p, K_RSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
add("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
0xc02d, --p, K_ECDH_ECDSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
add("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
0xc031, --p, K_ECDH_RSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
add("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
0x009e, --p, K_DHE_RSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
add("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
0x00a2, --p, K_DHE_DSS, B_AES_128_GCM, T, max, tls12, P_SHA256);
// AES_256(CBC)
add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
@ -1067,50 +1099,6 @@ final class CipherSuite implements Comparable<CipherSuite> {
add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
0xC00C, --p, K_ECDH_RSA, B_RC4_128, N);
// Cipher suites in GCM mode, see RFC 5288/5289.
//
// We may increase the priority of cipher suites in GCM mode when
// GCM technologies become mature in the industry.
// Suite B compliant cipher suites, see RFC 6460.
//
// Note that, at present this provider is not Suite B compliant. The
// preference order of the GCM cipher suites does not follow the spec
// of RFC 6460.
add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
0xc02c, --p, K_ECDHE_ECDSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
0xc02b, --p, K_ECDHE_ECDSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
// AES_256(GCM)
add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
0xc030, --p, K_ECDHE_RSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_RSA_WITH_AES_256_GCM_SHA384",
0x009d, --p, K_RSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
0xc02e, --p, K_ECDH_ECDSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
0xc032, --p, K_ECDH_RSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
0x009f, --p, K_DHE_RSA, B_AES_256_GCM, T, max, tls12, P_SHA384);
add("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
0x00a3, --p, K_DHE_DSS, B_AES_256_GCM, T, max, tls12, P_SHA384);
// AES_128(GCM)
add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
0xc02f, --p, K_ECDHE_RSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
add("TLS_RSA_WITH_AES_128_GCM_SHA256",
0x009c, --p, K_RSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
add("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
0xc02d, --p, K_ECDH_ECDSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
add("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
0xc031, --p, K_ECDH_RSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
add("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
0x009e, --p, K_DHE_RSA, B_AES_128_GCM, T, max, tls12, P_SHA256);
add("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
0x00a2, --p, K_DHE_DSS, B_AES_128_GCM, T, max, tls12, P_SHA256);
// End of cipher suites in GCM mode.
// 3DES_EDE
add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
0xC008, --p, K_ECDHE_ECDSA, B_3DES, T);

33
jdk/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -35,12 +35,28 @@
import java.util.*;
import javax.net.ssl.*;
import java.security.Security;
public class CipherSuitesInOrder {
// supported ciphersuites
private final static List<String> supportedCipherSuites =
Arrays.<String>asList(
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
@ -75,21 +91,6 @@ public class CipherSuitesInOrder {
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDH_RSA_WITH_RC4_128_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_RSA_WITH_3DES_EDE_CBC_SHA",