ssl clients (poodle)

Bernd Eckenfels ecki at zusammenkunft.net
Thu Oct 23 01:21:53 UTC 2014


Hello,

I know there is a Oracle article on Java SE vs. Poodle which
essentially describes https.protocols for java.net.URL and
jdk.tls.client.protocols for default SSLContext in JDK8+.

What is not described is if there is any out of band protocol fallback
implemented (especially in https handler). I think there is none, at
least I have'nt seen any, but maybe somebody else can tell?

If there is none, the client side would not be that critical.

I also wonder if this also means there should be a 

jdk.tls.client.protocols,blacklist and
jdk.tls.server.protocols.blacklist property which cannot be
circumvented (i.e. works with all requested protocols and even when
enable is called). (and maybe jdk.tls.*.cipher.blacklist as well)

Besides that, any news on the FALLBACK_SCSV patch from Florian?

Gruss
Bernd


More information about the security-dev mailing list