Support for TLS 1.1 & 1.2

Brad Wetmore bradford.wetmore at oracle.com
Fri Dec 24 02:38:55 UTC 2010 


On 12/23/2010 7:21 AM, martin.corr at bt.com wrote:
> Brad,
>
> Has there been any move to support TLS in oracle JRE?

I'm a little confused by the question, or maybe the confusion lies in 
how the OpenJDK 7 is part of OracleJDK.  We take the OpenJDK 7 source 
and make some modificiations (adding in some closed code, replacing bits 
here/there, etc.).  So Oracle JDK 7 has had TLS 1.2 since mid-November, 
b114 if I'm reading the logs right.

> In terms of the continued use of SHA-1, here is a useful site that
 > summarises various recommendations and most state that SHA-1
 > should be phased out now.

SHA-1 can still be used as the basis of MACs which is where it's used a 
lot in TLS.  It's SHA-1 by itself that is of concern.

Brad


> http://www.keylength.com/en/3/
>
> I can see that openjdk now includes TLS 1.2 which is great. We are looking to replace all use of SHA-1 but use the standard JRE not openjdk.
>
> Regards,
> Martin
>
> -----Original Message-----
> From: security-dev-bounces at openjdk.java.net [mailto:security-dev-bounces at openjdk.java.net] On Behalf Of Bradford Wetmore
> Sent: 20 April 2010 22:49
> To: Christopher Wood ( Ottawa ); 'security-dev at openjdk.java.net'; briefkasten at uebber.de
> Subject: Re: Support for TLS 1.1&  1.2
>
>
> Christian/Christopher and any others,
>
> On 1/7/2010 8:47 AM, Christopher Wood ( Ottawa ) wrote:
>
>> 1. In a previous email (January 2008)
>
> ...referring to Christian's email...
> http://mail.openjdk.java.net/pipermail/security-dev/2008-January/000054.html
>
>> asked about support for
>> TLS 1.1.  The reply indicated that it was planned for J2SE 7 and that
>> the implementation was in progress; is that still the case?
>
> We had made some progress, but some higher-priority issues came up and
> it got back-burnered.
>
>> 2. Are there any plans to support TLS 1.2?  If so, in what release and
>> timeframe?
>
> With all the transitions going on around here, we're now regrouping on
> the question of *BOTH* TLS 1.1 and 1.2 support.  We're going to be
> re-proposing TLS 1.1/1.2 for a future JDK release.  We've been pulling
> together our own reasons, but having actual customer feedback will help
> our case for completing this work.  Any information you can supply about
> your needs may be added to our proposal.  Feel free to reply directly to
> me if you'd rather not discuss your needs in a public forum.
>
> Thanks,
> Brad
>

More information about the security-dev mailing list