Code review request, 7093640, Enable TLS 1.2 for client-side default contexts

Xuelei Fan xuelei.fan at oracle.com
Tue Dec 17 10:08:11 UTC 2013


Hi,

This is a request to enabled TLS 1.2 for client-side default contexts.
Please review this update.

webrev: http://cr.openjdk.java.net/~xuelei/7093640/webrev.00/

We are still concern about the version intolerance issue with some older
SSL/TLS server implementation.  As a workaround, a new system property,
"jdk.tls.client.protocols", is defined to configure the protocols in
default contexts.

By default, TLS 1.1 and TLS 1.2 (plus other supported and safe
protocols) are enabled unless the system property is explicit configured
and does not contain "TLSv1.1" or "TLSv1.2".

The property string is a list of comma separated standard SSL protocol
names. The syntax of the property string can be described as this Java
BNF-style:
     ClientProtocols:
            ('"' SSLProtocolNames '"') | SSLProtocolNames
     SSLProtocolNames:
            SSLProtocolName { , SSLProtocolName }
     SSLProtocolName:
        (see below)

The "SSLProtocolName" is the standard SSL protocol name as described in
the "Java Cryptography Architecture Standard Algorithm Name
Documentation". If the property value does not comply to the above
syntax, or the specified value of SSLProtocolName is not a supported SSL
protocol name, the instantiation of the SSLContext provider service (via
SSLContext.getInstance() methods) may generate a
java.security.NoSuchAlgorithmException. Please note that the protocol
name is case-sensitive.

If the system property is not set or is empty, the default enabled
protocol setting in both client and server looks like:

Protocol         Enabled           Enabled
                 for Client        for Server
--------         ----------        ----------
SSLv3            Yes               Yes
TLSv1            Yes               Yes
TLSv1.1          Yes               Yes
TLSv1.2          Yes               Yes
SSLv2Hello       No                Yes


If the system property is set to "TLSv1,TLSv1.1", the default enabled
protocol setting in both client and server looks like:

Protocol         Enabled           Enabled
                 for Client        for Server
--------         ----------        ----------
SSLv3            No                Yes
TLSv1            Yes               Yes
TLSv1.1          Yes               Yes
TLSv1.2          No                Yes
SSLv2Hello       No                Yes

This update does not impact the API specification of JSSE, JSSE server
side and third party's provider.

Thanks,
Xuelei



More information about the security-dev mailing list