Java crypto roadmap

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Java crypto roadmap

Ian Young-3
Potentially relevant to our interests, recently updated:

https://java.com/en/jre-jdk-cryptoroadmap.html

Some highlights:

* TLS 1.3 coming to Java 8 (?!) some time in 2020. So, not dead then. Supposedly announced in July although I don't remember seeing that. I can't see this one affecting anyone negatively.

* TLS 1.0 and TLS 1.1 being *disabled* in all versions of Java from Java 7 onwards, second half of 2020. This is new and will presumably affect existing deployments if they take the relevant Java update (which I have to assume a lot of people will).

I don't think there are a lot of circumstances in which this would affect the IdP, as it doesn't initiate connections very often, but:

* A really old SP doing attribute query might be affected.

* The IdP might be affected if it was fetching metadata from an HTTPS location that was too old to support TLS 1.2. That sounds like an unlikely combination.

Am I missing anything?

    -- Ian

P.S. You can disable TLS 1.0 and TLS 1.1 today as described here, if you want: https://java.com/en/configure_crypto.html#DisableTLS



--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Java crypto roadmap

Cantor, Scott E.
On 10/16/19, 10:34 AM, "dev on behalf of Ian Young" <[hidden email] on behalf of [hidden email]> wrote:

> * TLS 1.0 and TLS 1.1 being *disabled* in all versions of Java from Java 7 onwards, second half of 2020. This is new and
> will presumably affect existing deployments if they take the relevant Java update (which I have to assume a lot of people
> will).

As in "removed" or just a default policy rule that can be overridden to turn them back on?

I broke a bunch of Red Hat <mumble> systems by turning off TLS 1.1 on my Jetty servers where I host my metadata locally so this would be a big deal if not revocable.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Java crypto roadmap

Christopher Bongaarts
In reply to this post by Ian Young-3
On 10/16/2019 9:34 AM, Ian Young wrote:
> * TLS 1.0 and TLS 1.1 being*disabled*  in all versions of Java from Java 7 onwards, second half of 2020. This is new and will presumably affect existing deployments if they take the relevant Java update (which I have to assume a lot of people will).
>
> I don't think there are a lot of circumstances in which this would affect the IdP, as it doesn't initiate connections very often, but:
>
> * A really old SP doing attribute query might be affected.
>
> * The IdP might be affected if it was fetching metadata from an HTTPS location that was too old to support TLS 1.2. That sounds like an unlikely combination.
>
> Am I missing anything?

Presumably it would also affect outbound LDAPS connections.

Not sure if TLS is used on database connections, but that would be
another place I'd double check.

Web services calls to Duo would also fall under this.  I think it's safe
to assume they support 1.2 or 1.3, though.

--
%%  Christopher A. Bongaarts   %%  [hidden email]          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Java crypto roadmap

Ian Young-3
In reply to this post by Cantor, Scott E.
On 2019-10-16, at 15:37, Cantor, Scott <[hidden email]> wrote:

On 10/16/19, 10:34 AM, "dev on behalf of Ian Young" <[hidden email] on behalf of [hidden email]> wrote:

* TLS 1.0 and TLS 1.1 being *disabled* in all versions of Java from Java 7 onwards, second half of 2020. This is new and
will presumably affect existing deployments if they take the relevant Java update (which I have to assume a lot of people
will).

As in "removed" or just a default policy rule that can be overridden to turn them back on?

They say disabled rather than removed, so I guess there might be a way to turn it back on. Might require editing java.security though (that's how they suggest testing disabling them).

I broke a bunch of Red Hat <mumble> systems by turning off TLS 1.1 on my Jetty servers where I host my metadata locally so this would be a big deal if not revocable.

Ugh. When did RHEL add support for 1.2? RHEL 6 or was it 7?

I got this via a tweet by Sean Mullan, might be worth asking him directly.

    -- Ian





--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Java crypto roadmap

Cantor, Scott E.
On 10/16/19, 11:00 AM, "dev on behalf of Ian Young" <[hidden email] on behalf of [hidden email]> wrote:

> Ugh. When did RHEL add support for 1.2? RHEL 6 or was it 7?

I believe it is missing in 5, but if that doesn't turn out to be true, I'll let you do the math.

-- Scott




--
To unsubscribe from this list send an email to [hidden email]