8245545: Disable TLS_RSA cipher suites

[TheMangovnik]

Backport of JDK-8245545 - Disable TLS_RSA cipher suites

Some TLS suites do not preserve forward-secrecy and are not commonly used - and should not be used.

Not clean back port. This includes:

• Selection of disabled tests and some include that is in jdk11 but not in jdk17.
• Changed indentation of edited block of string defining disabled cipher suites.
• Bunch of copyright notices.

Tested on Fedora 43:

• gtests passed
• T1 have same fails before and after the back port -> not related to this.
• jtreg:test/jdk/sun/security passed.
• jtreg:test/jdk/javax/net/ssl passed.
• Github Actions passed.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8245545 needs maintainer approval
• Change requires CSR request JDK-8344257 to be approved

Issues

• JDK-8245545: Disable TLS_RSA cipher suites (Enhancement - P3)
• JDK-8344257: Disable TLS_RSA cipher suites (CSR)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/3124/head:pull/3124
$ git checkout pull/3124

Update a local copy of the PR:
$ git checkout pull/3124
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/3124/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3124

View PR using the GUI difftool:
$ git pr show -t 3124

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/3124.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back TheMangovnik! A progress list of the required criteria for merging this PR into pr/3123 will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 03: Full - Incremental (95da7d4c)
• 02: Full - Incremental (26a5bb72)
• 01: Full - Incremental (c1389344)
• 00: Full (c1389344)

[openjdk-notifier]

The parent pull request that this pull request depends on has now been integrated and the target branch of this pull request has been updated. This means that changes from the dependent pull request can start to show up as belonging to this pull request, which may be confusing for reviewers. To remedy this situation, simply merge the latest changes from the new target branch into this pull request by running commands similar to these in the local repository for your personal fork:

git checkout backport/JDK-8245545
git fetch https://git.openjdk.org/jdk11u-dev.git master
git merge FETCH_HEAD
# if there are conflicts, follow the instructions given by git merge
git commit -m "Merge master"
git push

[gnu-andrew]

Most of this looks ok. I see three instances with changes that shouldn't be there:

1. test/jdk/javax/net/ssl/SSLEngine/Basics.java acquires some refactoring from JDK-8298867. This should just add the lines, as in other tests in 8245545, to re-enable TLS_RSA_* i.e.

+        // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*");

2. test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java brings in a whole bunch of indentation changes from JDK-8301379. It should just add the additional algorithms as in 8245545.

3. test/jdk/sun/security/pkcs11/fips/TestTLS12.java alters the existing Red Hat copyright line for no apparent reason.

JDK-8298867 & JDK-8301379 are both test changes that are in Oracle's 11u and could be backported fully. Given we enter rampdown at the end of this week though, I would like to get this change in and those test changes can be done later if desired. We shouldn't be including chunks of them in this backport though.