[security-dev 00637]: Re: SNI support in JSSE
Michael Tandy
michaeltandy at googlemail.com
Mon Mar 2 11:38:42 UTC 2009
> Good point. But for FIPS-140 compliant. TLS1.0 should be used, SSL v2 Hello
> will not be used in a FIPS validated environment.
On the subject of FIPS, perhaps you can answer a question: I gather we
have FIPS support [3], but from the documentation [4] I've got no idea
of how to enable it.
>> Do you think it's likely a server would require SSL3 or TLS, but
>> wouldn't support hello extensions?
>
> Yes, I do remember that some of the current ssl/tls servers may refuse to
> accept connections from a client that used TLS extensions. Please refer to
> [1] and [2].
OK, so as I see it our options are:
(a) don't include client SNI support in OpenJDK 7
(b) include SNI support with no API to turn it off, which will break
some servers
(c) use a system property to work around the API freeze, add a proper
API to the next version, and maintain support for the workaround
forever
(d) use a system property to work around the API freeze, add a proper
API to the next version, and break the workaround in the next version
None of those options sound very good to me. What do you think we should do?
Michael
[3] http://java.sun.com/javase/6/docs/technotes/guides/security/enhancements.html
[4] http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
More information about the security-dev
mailing list