Code review request, CR 7093640 Enable TLS 1.1 and TLS 1.2 by default in JSSE client

Sean Mullan sean.mullan at oracle.com
Wed Jan 18 12:24:16 PST 2012


I haven't reviewed the changes, but since this has potential 
compatibility impact, this will also require a CCC request. You might 
want to submit it now, and make any adjustments later based on the code 
review.

--Sean

On 01/12/2012 10:17 AM, Xuelei Fan wrote:
> Hi,
>
> webrev: http://cr.openjdk.java.net/~xuelei/7093640/webrev.00/
>
> It's time to enable TLS 1.1 and TLS 1.2 in JDK by default.
>
> There is a known tls-version-number tolerant issue for deployed SSL
> servers. That is, some servers cannot work with clients whose TLS
> version number is bigger than or equals to TLS 1.0. It only happens to
> very very very very old and few servers now.
>
> In JDK 7, because of known server tls-version-number tolerant issues ,
> TLS 1.1 and TLS 1.2 is not enabled by default in JSSE client.
>
> TLS 1.1 is able to avoid the CBC issues in TLS 1.0 and previous
> releases; and TLS 1.2 is able to use stronger hash functions.  As the
> tls-version-number tolerant issues have been decreasing recent years,
> and the industry is purchasing to use new TLS versions in order to avoid
> CBC attack and comply to new hash policy, it's time for us to consider
> enable TLS 1.1 and TLS 1.2 in JSSE client by default.
>
> I know that because there are a few very old servers refuse to or cannot
> upgrade to latest TLS implementations, we may run into a few
> compatibility issue because of TLS-version-number tolerant issues. But
> what's the right time to make use of the advanced features for most of us?
>
> It's time to enable TLS 1.1 and TLS 1.2 in JDK by default.
>
> Please review the the changes.
>
> Thanks,
> Xuelei




More information about the security-dev mailing list