Code review request, JDK-8052406, SSLv2Hello protocol may be filter out unexpectedly
Xuelei Fan
xuelei.fan at oracle.com
Wed Jul 30 12:56:15 UTC 2014
Hi,
Please review this fix for JDK-8052406:
Webrev: http://cr.openjdk.java.net/~xuelei/8052406/webrev.00/
JBS: https://bugs.openjdk.java.net/browse/JDK-8049321
For TLS connections, if no suitable cipher suite available for a
particular TLS protocol, such protocol should not be negotiated. For
example, if only "TLS_RSA_WITH_AES_128_CBC_SHA256" enabled, as it is
only supported by TLS version 1.2, the connection should be negotiated
TLS version 1 and 1.1.
In SunJSSE implementation, we check the binding of enabled protocols and
enabled cipher suites. SSLv2Hello may be improperly filter out when
making the checking above. Actually, SSLv2Hello is not a real SSL/TLS
protocol, it is only used as the format of ClientHello message. If
SSLv2Hello is enabled, it should not be filter out.
This fix address the SunJSSE problem implementation above.
Thanks,
Xuelei
More information about the security-dev
mailing list