[security-dev 00638]: Re: SNI support in JSSE

Xuelei Fan Xuelei.Fan at Sun.COM
Mon Mar 2 13:35:08 UTC 2009 

Michael Tandy wrote:
>> Good point. But for FIPS-140 compliant. TLS1.0 should be used, SSL v2 Hello
>> will not be used in a FIPS validated environment.
>>     
>
> On the subject of FIPS, perhaps you can answer a question: I gather we
> have FIPS support [3], but from the documentation [4] I've got no idea
> of how to enable it.
>
>   
FIPS compliant mode is experimental in SunJSSE. I don't think, or I 
don't know there is a public approach to enable it. However, we have 
test case on PKCS11 crypro provider with internal APIs, which looks like:
     Provider p = a pkcs11 provider;
     Security.removeProvier("SunJSSE");
     Provider fipsjsse = new com.sun.net.ssl.internal.ssl Provider(p);
     Security.addProvider(fipsjsse);   //FIPS enabled here.

Note, this just a show case, please do not use Sun internal APIs 
directly, which may be deleted or changed at any time.
>>> Do you think it's likely a server would require SSL3 or TLS, but
>>> wouldn't support hello extensions?
>>>       
>> Yes, I do remember that some of the current ssl/tls servers may refuse to
>> accept connections from a client that used TLS extensions. Please refer to
>> [1] and [2].
>>     
>
> OK, so as I see it our options are:
> (a) don't include client SNI support in OpenJDK 7
> (b) include SNI support with no API to turn it off, which will break
> some servers
> (c) use a system property to work around the API freeze, add a proper
> API to the next version, and maintain support for the workaround
> forever
> (d) use a system property to work around the API freeze, add a proper
> API to the next version, and break the workaround in the next version
>
> None of those options sound very good to me. What do you think we should do?
>
>   
I have no choice but (c). Personally, I really think SNI is becoming a 
have-to-have feature with the grow of virtualization computing.

Xuelei
> Michael
>
> [3] http://java.sun.com/javase/6/docs/technotes/guides/security/enhancements.html
> [4] http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
>

More information about the security-dev mailing list