Fwd: OT: Reason TLS 1.1 & 1.2 off by default

[Brad Wetmore]

 > After the demo last September that SSL 3.0 might be defeate-able,
 > 1.6.29 or 30 came out which added TLS 1.1 & 1.2 to Java 6,

You are likely thinking of a different fix which was added to JDK 6u29 
to address CVE-2011-3389.

Oracle has not backported TLS 1.1/1.2 to Java 6.  TLS 1.1/1.2 currently 
only exists in JDK 7 (and 8).

There have been interop issues with existing TLS servers (including some 
which don't even speak TLS 1.1/1.2, but choke on the 1.1/1.2 requests), 
which is part of the reason why it hasn't been enabled by default yet.

Brad


> -------- Original Message --------
> Subject: OT: Reason TLS 1.1 & 1.2 off by default
> Date: Mon, 14 May 2012 16:51:24 -0400
> From: Jeff Palmer <jcpalmer at rochester.rr.com>
> To: macosx-port-dev at openjdk.java.net
>
> There might be a better place to bring this up, but I do not understand
> why TLS 1.1 & 1.2 are not enabled by default in the Java Control Panel.
> This is not just the Mac port.
>
> After the demo last September that SSL 3.0 might be defeate-able, 1.6.29
> or 30 came out which added TLS 1.1 & 1.2 to Java 6, something that was
> already in Java 7. Browser makers started to work on the newer protocols
> from the client side. Jetty and possibly others servers started putting
> out releases which allowed protocols be prioritized or even turned off.
>
> No average user is ever going to turn this on themselves. I can fully
> see not turning SSL 3.0 and TLS 1.0 off (but I have tested this), but
> not a reason to not turn these on.