# HG changeset patch # User xuelei # Date 1293028126 28800 # Node ID d026f4f9c11945816cdb743bb6feceb2dde6e46a # Parent ad4062c4253d5129470d9116cfda1b2ce477621b 6996365: Evaluate the priorities of cipher suites Reviewed-by: wetmore diff -r ad4062c4253d -r d026f4f9c119 jdk/src/share/classes/sun/security/ssl/CipherSuite.java --- a/jdk/src/share/classes/sun/security/ssl/CipherSuite.java Wed Dec 22 14:37:15 2010 +0100 +++ b/jdk/src/share/classes/sun/security/ssl/CipherSuite.java Wed Dec 22 06:28:46 2010 -0800 @@ -577,14 +577,16 @@ final static MacAlg M_SHA256 = new MacAlg("SHA256", 32); final static MacAlg M_SHA384 = new MacAlg("SHA384", 48); - // PRFs (PseudoRandom Function) from TLS specifications. - // - // TLS 1.1- uses a single MD5/SHA1-based PRF algorithm for generating - // the necessary material. - // - // In TLS 1.2+, all existing/known CipherSuites use SHA256, however - // new Ciphersuites (e.g. RFC 5288) can define specific PRF hash - // algorithms. + /** + * PRFs (PseudoRandom Function) from TLS specifications. + * + * TLS 1.1- uses a single MD5/SHA1-based PRF algorithm for generating + * the necessary material. + * + * In TLS 1.2+, all existing/known CipherSuites use SHA256, however + * new Ciphersuites (e.g. RFC 5288) can define specific PRF hash + * algorithms. + */ static enum PRF { // PRF algorithms @@ -862,8 +864,18 @@ add("SSL_NULL_WITH_NULL_NULL", 0x0000, 1, K_NULL, B_NULL, F); - // Definition of the CipherSuites that are enabled by default. - // They are listed in preference order, most preferred first. + /* + * Definition of the CipherSuites that are enabled by default. + * They are listed in preference order, most preferred first, using + * the following criteria: + * 1. Prefer the stronger buld cipher, in the order of AES_256, + * AES_128, RC-4, 3DES-EDE. + * 2. Prefer the stronger MAC algorithm, in the order of SHA384, + * SHA256, SHA, MD5. + * 3. Prefer the better performance of key exchange and digital + * signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA, + * RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS. + */ int p = DEFAULT_SUITES_PRIORITY * 2; // shorten names to fit the following table cleanly. @@ -873,170 +885,185 @@ // ID Key Exchange Cipher A obs suprt PRF // ====== ============ ========= = === ===== ======== - add("TLS_RSA_WITH_AES_128_CBC_SHA256", - 0x003c, --p, K_RSA, B_AES_128, T, max, tls12, P_SHA256); + add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + 0xc024, --p, K_ECDHE_ECDSA, B_AES_256, T, max, tls12, P_SHA384); + add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + 0xc028, --p, K_ECDHE_RSA, B_AES_256, T, max, tls12, P_SHA384); add("TLS_RSA_WITH_AES_256_CBC_SHA256", 0x003d, --p, K_RSA, B_AES_256, T, max, tls12, P_SHA256); - add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", - 0x0040, --p, K_DHE_DSS, B_AES_128, T, max, tls12, P_SHA256); - add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - 0x0067, --p, K_DHE_RSA, B_AES_128, T, max, tls12, P_SHA256); + add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", + 0xc026, --p, K_ECDH_ECDSA, B_AES_256, T, max, tls12, P_SHA384); + add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", + 0xc02a, --p, K_ECDH_RSA, B_AES_256, T, max, tls12, P_SHA384); + add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + 0x006b, --p, K_DHE_RSA, B_AES_256, T, max, tls12, P_SHA256); add("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", 0x006a, --p, K_DHE_DSS, B_AES_256, T, max, tls12, P_SHA256); - add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - 0x006b, --p, K_DHE_RSA, B_AES_256, T, max, tls12, P_SHA256); + + add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + 0xC00A, --p, K_ECDHE_ECDSA, B_AES_256, T); + add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + 0xC014, --p, K_ECDHE_RSA, B_AES_256, T); + add("TLS_RSA_WITH_AES_256_CBC_SHA", + 0x0035, --p, K_RSA, B_AES_256, T); + add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", + 0xC005, --p, K_ECDH_ECDSA, B_AES_256, T); + add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", + 0xC00F, --p, K_ECDH_RSA, B_AES_256, T); + add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + 0x0039, --p, K_DHE_RSA, B_AES_256, T); + add("TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + 0x0038, --p, K_DHE_DSS, B_AES_256, T); add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 0xc023, --p, K_ECDHE_ECDSA, B_AES_128, T, max, tls12, P_SHA256); - add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - 0xc024, --p, K_ECDHE_ECDSA, B_AES_256, T, max, tls12, P_SHA384); + add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + 0xc027, --p, K_ECDHE_RSA, B_AES_128, T, max, tls12, P_SHA256); + add("TLS_RSA_WITH_AES_128_CBC_SHA256", + 0x003c, --p, K_RSA, B_AES_128, T, max, tls12, P_SHA256); add("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 0xc025, --p, K_ECDH_ECDSA, B_AES_128, T, max, tls12, P_SHA256); - add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", - 0xc026, --p, K_ECDH_ECDSA, B_AES_256, T, max, tls12, P_SHA384); - add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - 0xc027, --p, K_ECDHE_RSA, B_AES_128, T, max, tls12, P_SHA256); - add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - 0xc028, --p, K_ECDHE_RSA, B_AES_256, T, max, tls12, P_SHA384); add("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", 0xc029, --p, K_ECDH_RSA, B_AES_128, T, max, tls12, P_SHA256); - add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", - 0xc02a, --p, K_ECDH_RSA, B_AES_256, T, max, tls12, P_SHA384); + add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + 0x0067, --p, K_DHE_RSA, B_AES_128, T, max, tls12, P_SHA256); + add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + 0x0040, --p, K_DHE_DSS, B_AES_128, T, max, tls12, P_SHA256); - add("SSL_RSA_WITH_RC4_128_MD5", - 0x0004, --p, K_RSA, B_RC4_128, N); - add("SSL_RSA_WITH_RC4_128_SHA", - 0x0005, --p, K_RSA, B_RC4_128, N); + add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + 0xC009, --p, K_ECDHE_ECDSA, B_AES_128, T); + add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + 0xC013, --p, K_ECDHE_RSA, B_AES_128, T); add("TLS_RSA_WITH_AES_128_CBC_SHA", 0x002f, --p, K_RSA, B_AES_128, T); - add("TLS_RSA_WITH_AES_256_CBC_SHA", - 0x0035, --p, K_RSA, B_AES_256, T); - - add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - 0xC002, --p, K_ECDH_ECDSA, B_RC4_128, N); add("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", 0xC004, --p, K_ECDH_ECDSA, B_AES_128, T); - add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", - 0xC005, --p, K_ECDH_ECDSA, B_AES_256, T); - add("TLS_ECDH_RSA_WITH_RC4_128_SHA", - 0xC00C, --p, K_ECDH_RSA, B_RC4_128, N); add("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", 0xC00E, --p, K_ECDH_RSA, B_AES_128, T); - add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", - 0xC00F, --p, K_ECDH_RSA, B_AES_256, T); + add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + 0x0033, --p, K_DHE_RSA, B_AES_128, T); + add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + 0x0032, --p, K_DHE_DSS, B_AES_128, T); add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", 0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N); - add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - 0xC009, --p, K_ECDHE_ECDSA, B_AES_128, T); - add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - 0xC00A, --p, K_ECDHE_ECDSA, B_AES_256, T); add("TLS_ECDHE_RSA_WITH_RC4_128_SHA", 0xC011, --p, K_ECDHE_RSA, B_RC4_128, N); - add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - 0xC013, --p, K_ECDHE_RSA, B_AES_128, T); - add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - 0xC014, --p, K_ECDHE_RSA, B_AES_256, T); + add("SSL_RSA_WITH_RC4_128_SHA", + 0x0005, --p, K_RSA, B_RC4_128, N); + add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + 0xC002, --p, K_ECDH_ECDSA, B_RC4_128, N); + add("TLS_ECDH_RSA_WITH_RC4_128_SHA", + 0xC00C, --p, K_ECDH_RSA, B_RC4_128, N); - add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - 0x0033, --p, K_DHE_RSA, B_AES_128, T); - add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - 0x0039, --p, K_DHE_RSA, B_AES_256, T); - add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - 0x0032, --p, K_DHE_DSS, B_AES_128, T); - add("TLS_DHE_DSS_WITH_AES_256_CBC_SHA", - 0x0038, --p, K_DHE_DSS, B_AES_256, T); - + add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + 0xC008, --p, K_ECDHE_ECDSA, B_3DES, T); + add("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + 0xC012, --p, K_ECDHE_RSA, B_3DES, T); add("SSL_RSA_WITH_3DES_EDE_CBC_SHA", 0x000a, --p, K_RSA, B_3DES, T); add("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", 0xC003, --p, K_ECDH_ECDSA, B_3DES, T); add("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", 0xC00D, --p, K_ECDH_RSA, B_3DES, T); - add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - 0xC008, --p, K_ECDHE_ECDSA, B_3DES, T); - add("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - 0xC012, --p, K_ECDHE_RSA, B_3DES, T); add("SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", 0x0016, --p, K_DHE_RSA, B_3DES, T); add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", 0x0013, --p, K_DHE_DSS, B_3DES, N); + add("SSL_RSA_WITH_RC4_128_MD5", + 0x0004, --p, K_RSA, B_RC4_128, N); + // Renegotiation protection request Signalling Cipher Suite Value (SCSV) add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV", 0x00ff, --p, K_SCSV, B_NULL, T); - // Definition of the CipherSuites that are supported but not enabled - // by default. - // They are listed in preference order, preferred first. + /* + * Definition of the CipherSuites that are supported but not enabled + * by default. + * They are listed in preference order, preferred first, using the + * following criteria: + * 1. CipherSuites for KRB5 need additional KRB5 service + * configuration, and these suites are not common in practice, + * so we put KRB5 based cipher suites at the end of the supported + * list. + * 2. If a cipher suite has been obsoleted, we put it at the end of + * the list. + * 3. Prefer the stronger bulk cipher, in the order of AES_256, + * AES_128, RC-4, 3DES-EDE, DES, RC4_40, DES40, NULL. + * 4. Prefer the stronger MAC algorithm, in the order of SHA384, + * SHA256, SHA, MD5. + * 5. Prefer the better performance of key exchange and digital + * signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA, + * RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous. + */ p = DEFAULT_SUITES_PRIORITY; - // weak single-DES cipher suites + add("TLS_DH_anon_WITH_AES_256_CBC_SHA256", + 0x006d, --p, K_DH_ANON, B_AES_256, N, max, tls12, P_SHA256); + add("TLS_ECDH_anon_WITH_AES_256_CBC_SHA", + 0xC019, --p, K_ECDH_ANON, B_AES_256, T); + add("TLS_DH_anon_WITH_AES_256_CBC_SHA", + 0x003a, --p, K_DH_ANON, B_AES_256, N); + + add("TLS_DH_anon_WITH_AES_128_CBC_SHA256", + 0x006c, --p, K_DH_ANON, B_AES_128, N, max, tls12, P_SHA256); + add("TLS_ECDH_anon_WITH_AES_128_CBC_SHA", + 0xC018, --p, K_ECDH_ANON, B_AES_128, T); + add("TLS_DH_anon_WITH_AES_128_CBC_SHA", + 0x0034, --p, K_DH_ANON, B_AES_128, N); + + add("TLS_ECDH_anon_WITH_RC4_128_SHA", + 0xC016, --p, K_ECDH_ANON, B_RC4_128, N); + add("SSL_DH_anon_WITH_RC4_128_MD5", + 0x0018, --p, K_DH_ANON, B_RC4_128, N); + + add("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", + 0xC017, --p, K_ECDH_ANON, B_3DES, T); + add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", + 0x001b, --p, K_DH_ANON, B_3DES, N); + + add("TLS_RSA_WITH_NULL_SHA256", + 0x003b, --p, K_RSA, B_NULL, N, max, tls12, P_SHA256); + add("TLS_ECDHE_ECDSA_WITH_NULL_SHA", + 0xC006, --p, K_ECDHE_ECDSA, B_NULL, N); + add("TLS_ECDHE_RSA_WITH_NULL_SHA", + 0xC010, --p, K_ECDHE_RSA, B_NULL, N); + add("SSL_RSA_WITH_NULL_SHA", + 0x0002, --p, K_RSA, B_NULL, N); + add("TLS_ECDH_ECDSA_WITH_NULL_SHA", + 0xC001, --p, K_ECDH_ECDSA, B_NULL, N); + add("TLS_ECDH_RSA_WITH_NULL_SHA", + 0xC00B, --p, K_ECDH_RSA, B_NULL, N); + add("TLS_ECDH_anon_WITH_NULL_SHA", + 0xC015, --p, K_ECDH_ANON, B_NULL, N); + add("SSL_RSA_WITH_NULL_MD5", + 0x0001, --p, K_RSA, B_NULL, N); + + // weak cipher suites obsoleted in TLS 1.2 add("SSL_RSA_WITH_DES_CBC_SHA", 0x0009, --p, K_RSA, B_DES, N, tls12); add("SSL_DHE_RSA_WITH_DES_CBC_SHA", 0x0015, --p, K_DHE_RSA, B_DES, N, tls12); add("SSL_DHE_DSS_WITH_DES_CBC_SHA", 0x0012, --p, K_DHE_DSS, B_DES, N, tls12); - - // Anonymous key exchange and the NULL ciphers - add("SSL_RSA_WITH_NULL_MD5", - 0x0001, --p, K_RSA, B_NULL, N); - add("SSL_RSA_WITH_NULL_SHA", - 0x0002, --p, K_RSA, B_NULL, N); - add("TLS_RSA_WITH_NULL_SHA256", - 0x003b, --p, K_RSA, B_NULL, N, max, tls12, P_SHA256); - - add("TLS_ECDH_ECDSA_WITH_NULL_SHA", - 0xC001, --p, K_ECDH_ECDSA, B_NULL, N); - add("TLS_ECDH_RSA_WITH_NULL_SHA", - 0xC00B, --p, K_ECDH_RSA, B_NULL, N); - add("TLS_ECDHE_ECDSA_WITH_NULL_SHA", - 0xC006, --p, K_ECDHE_ECDSA, B_NULL, N); - add("TLS_ECDHE_RSA_WITH_NULL_SHA", - 0xC010, --p, K_ECDHE_RSA, B_NULL, N); - - add("SSL_DH_anon_WITH_RC4_128_MD5", - 0x0018, --p, K_DH_ANON, B_RC4_128, N); - add("TLS_DH_anon_WITH_AES_128_CBC_SHA", - 0x0034, --p, K_DH_ANON, B_AES_128, N); - add("TLS_DH_anon_WITH_AES_256_CBC_SHA", - 0x003a, --p, K_DH_ANON, B_AES_256, N); - add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", - 0x001b, --p, K_DH_ANON, B_3DES, N); add("SSL_DH_anon_WITH_DES_CBC_SHA", 0x001a, --p, K_DH_ANON, B_DES, N, tls12); - add("TLS_DH_anon_WITH_AES_128_CBC_SHA256", - 0x006c, --p, K_DH_ANON, B_AES_128, N, max, tls12, P_SHA256); - add("TLS_DH_anon_WITH_AES_256_CBC_SHA256", - 0x006d, --p, K_DH_ANON, B_AES_256, N, max, tls12, P_SHA256); - - add("TLS_ECDH_anon_WITH_RC4_128_SHA", - 0xC016, --p, K_ECDH_ANON, B_RC4_128, N); - add("TLS_ECDH_anon_WITH_AES_128_CBC_SHA", - 0xC018, --p, K_ECDH_ANON, B_AES_128, T); - add("TLS_ECDH_anon_WITH_AES_256_CBC_SHA", - 0xC019, --p, K_ECDH_ANON, B_AES_256, T); - add("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", - 0xC017, --p, K_ECDH_ANON, B_3DES, T); - + // weak cipher suites obsoleted in TLS 1.1 + add("SSL_RSA_EXPORT_WITH_RC4_40_MD5", + 0x0003, --p, K_RSA_EXPORT, B_RC4_40, N, tls11); add("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", 0x0017, --p, K_DH_ANON, B_RC4_40, N, tls11); - add("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", - 0x0019, --p, K_DH_ANON, B_DES_40, N, tls11); - add("TLS_ECDH_anon_WITH_NULL_SHA", - 0xC015, --p, K_ECDH_ANON, B_NULL, N); - - add("SSL_RSA_EXPORT_WITH_RC4_40_MD5", - 0x0003, --p, K_RSA_EXPORT, B_RC4_40, N, tls11); add("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0008, --p, K_RSA_EXPORT, B_DES_40, N, tls11); add("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0014, --p, K_DHE_RSA, B_DES_40, N, tls11); add("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", 0x0011, --p, K_DHE_DSS, B_DES_40, N, tls11); + add("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", + 0x0019, --p, K_DH_ANON, B_DES_40, N, tls11); // Supported Kerberos ciphersuites from RFC2712 add("TLS_KRB5_WITH_RC4_128_SHA",