Code review request, CR 7093640 Enable TLS 1.1 and TLS 1.2 by default in JSSE client

Xuelei Fan at
Thu Jan 12 07:17:07 PST 2012



It's time to enable TLS 1.1 and TLS 1.2 in JDK by default.

There is a known tls-version-number tolerant issue for deployed SSL
servers. That is, some servers cannot work with clients whose TLS
version number is bigger than or equals to TLS 1.0. It only happens to
very very very very old and few servers now.

In JDK 7, because of known server tls-version-number tolerant issues ,
TLS 1.1 and TLS 1.2 is not enabled by default in JSSE client.

TLS 1.1 is able to avoid the CBC issues in TLS 1.0 and previous
releases; and TLS 1.2 is able to use stronger hash functions.  As the
tls-version-number tolerant issues have been decreasing recent years,
and the industry is purchasing to use new TLS versions in order to avoid
CBC attack and comply to new hash policy, it's time for us to consider
enable TLS 1.1 and TLS 1.2 in JSSE client by default.

I know that because there are a few very old servers refuse to or cannot
upgrade to latest TLS implementations, we may run into a few
compatibility issue because of TLS-version-number tolerant issues. But
what's the right time to make use of the advanced features for most of us?

It's time to enable TLS 1.1 and TLS 1.2 in JDK by default.

Please review the the changes.


More information about the security-dev mailing list