ssl clients (poodle)
Bernd Eckenfels
ecki at zusammenkunft.net
Thu Oct 23 01:21:53 UTC 2014
Hello,
I know there is a Oracle article on Java SE vs. Poodle which
essentially describes https.protocols for java.net.URL and
jdk.tls.client.protocols for default SSLContext in JDK8+.
What is not described is if there is any out of band protocol fallback
implemented (especially in https handler). I think there is none, at
least I have'nt seen any, but maybe somebody else can tell?
If there is none, the client side would not be that critical.
I also wonder if this also means there should be a
jdk.tls.client.protocols,blacklist and
jdk.tls.server.protocols.blacklist property which cannot be
circumvented (i.e. works with all requested protocols and even when
enable is called). (and maybe jdk.tls.*.cipher.blacklist as well)
Besides that, any news on the FALLBACK_SCSV patch from Florian?
Gruss
Bernd
More information about the security-dev
mailing list