[rfc][icedtea-web] https proobing

Jacob Wisor gitne at gmx.de
Thu Oct 16 12:44:10 UTC 2014

On 08/07/2014 at 07:25 PM, Jiri Vanek wrote:
> Hi!
> this patch *should* solve most of the issues ITW have with various broken or old
> https servers. Should, because I have no page where to reproduce. My only
> tracker is https://bugzilla.redhat.com/show_bug.cgi?id=1089130 and small
> attached program which I wrote used to tests various requests to known broken
> https server (to get files).

I suppose this
makes the discussion about this patch obsolete. I am no cryptography expert, 
however I do have sufficient knowledge on this subject to strongly advise 
everybody who really cares about security to migrate to TLS. IMHO the next JDK 
release should definitely finally drop support for SSL 2.0 and SSL 3.0 
altogether. Yes, even when this means that things will break, or perhaps 
/because/ things break. Outdated and EOL applications which rely on transport 
security supporting SSL 2.0 or SSL 3.0 only should not run on newer versions of 
Java. It's simply irresponsible to allow this madness to continue. So called 
"legacy compatibility" is not an issue of compatibility but about forcing people 
to give up their security.
Having said that, IcedTea-Web should not get on the wrong track either. The next 
release, possibly 1.6, should accept no less than TLS 1.0 connections only. 
Heck, actually we would need a patch which implements the opposite: No SSL 2.0 
and SSL 3.0 connections what so ever.

OpenJDK as well as Oracle's JRE currently enable users and administrators to 
configure the JRE to fallback all the way down to SSL 2.0. It may not be 
convenient to configure or unknown and difficult for inexperienced users but it 
is possible, which is bad enough in the light of recent discoveries. If somebody 
wants or needs to run software which relies on insecure connections should have 
been warned by now and be really sure about what they are doing.


More information about the distro-pkg-dev mailing list