Code review request, JDK-8052406, SSLv2Hello protocol may be filter out unexpectedly
Wang Weijun
weijun.wang at oracle.com
Thu Jul 31 00:14:15 UTC 2014
The fix looks harmless, but I don't understand the test. What happens if SSLv2Hello is filtered out?
--Max
On Jul 30, 2014, at 20:56, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> Hi,
>
> Please review this fix for JDK-8052406:
>
> Webrev: http://cr.openjdk.java.net/~xuelei/8052406/webrev.00/
> JBS: https://bugs.openjdk.java.net/browse/JDK-8049321
>
> For TLS connections, if no suitable cipher suite available for a
> particular TLS protocol, such protocol should not be negotiated. For
> example, if only "TLS_RSA_WITH_AES_128_CBC_SHA256" enabled, as it is
> only supported by TLS version 1.2, the connection should be negotiated
> TLS version 1 and 1.1.
>
> In SunJSSE implementation, we check the binding of enabled protocols and
> enabled cipher suites. SSLv2Hello may be improperly filter out when
> making the checking above. Actually, SSLv2Hello is not a real SSL/TLS
> protocol, it is only used as the format of ClientHello message. If
> SSLv2Hello is enabled, it should not be filter out.
>
> This fix address the SunJSSE problem implementation above.
>
> Thanks,
> Xuelei
More information about the security-dev
mailing list