Code review request, 7093640, Enable TLS 1.2 for client-side default contexts
Xuelei Fan
xuelei.fan at oracle.com
Tue Dec 17 10:08:11 UTC 2013
Hi,
This is a request to enabled TLS 1.2 for client-side default contexts.
Please review this update.
webrev: http://cr.openjdk.java.net/~xuelei/7093640/webrev.00/
We are still concern about the version intolerance issue with some older
SSL/TLS server implementation. As a workaround, a new system property,
"jdk.tls.client.protocols", is defined to configure the protocols in
default contexts.
By default, TLS 1.1 and TLS 1.2 (plus other supported and safe
protocols) are enabled unless the system property is explicit configured
and does not contain "TLSv1.1" or "TLSv1.2".
The property string is a list of comma separated standard SSL protocol
names. The syntax of the property string can be described as this Java
BNF-style:
ClientProtocols:
('"' SSLProtocolNames '"') | SSLProtocolNames
SSLProtocolNames:
SSLProtocolName { , SSLProtocolName }
SSLProtocolName:
(see below)
The "SSLProtocolName" is the standard SSL protocol name as described in
the "Java Cryptography Architecture Standard Algorithm Name
Documentation". If the property value does not comply to the above
syntax, or the specified value of SSLProtocolName is not a supported SSL
protocol name, the instantiation of the SSLContext provider service (via
SSLContext.getInstance() methods) may generate a
java.security.NoSuchAlgorithmException. Please note that the protocol
name is case-sensitive.
If the system property is not set or is empty, the default enabled
protocol setting in both client and server looks like:
Protocol Enabled Enabled
for Client for Server
-------- ---------- ----------
SSLv3 Yes Yes
TLSv1 Yes Yes
TLSv1.1 Yes Yes
TLSv1.2 Yes Yes
SSLv2Hello No Yes
If the system property is set to "TLSv1,TLSv1.1", the default enabled
protocol setting in both client and server looks like:
Protocol Enabled Enabled
for Client for Server
-------- ---------- ----------
SSLv3 No Yes
TLSv1 Yes Yes
TLSv1.1 Yes Yes
TLSv1.2 No Yes
SSLv2Hello No Yes
This update does not impact the API specification of JSSE, JSSE server
side and third party's provider.
Thanks,
Xuelei
More information about the security-dev
mailing list