[9] RFC: 8061798: Add support for TLS_FALLBACK_SCSV (RFC 7507)
Thomas Lußnig
openjdk at suche.org
Wed May 6 18:32:36 UTC 2015
Hi,
i looked at the patch files looks OK for me too.
Since i also implemented it i can tel the server part ist ok.
Once think i found maybe an optimisation:
instead of
mesg.protocolVersion.compareTo(getActiveProtocols().max) < 0
maybe use
mesg.protocolVersion.v < getActiveProtocols().max.v
in the server handshaker.
Gruß Thomas
On 06.05.2015 15:42, Florian Weimer wrote:
> On 05/06/2015 01:42 AM, Xuelei Fan wrote:
>> As additional APIs are strongly desired, what do you think to make the
>> API more general and easy to use? For example, using the name:
>>
>> SSLParameters.setUseFallbackMode(boolean isFallback)
>> boolean SSLParameters.getuseFallbackMode()
>>
>> We can implement more for this parameters if need to take care of
>> additional more problems during fallback negotiation. Instinctively,
>> developers and code reviewers would not call this APIs unless this is a
>> real fallback negotiation, I think.
> Sounds reasonable. I have add an @implNote mentioning that the default
> provider sends TLS_FALLBACK_SCSV.
>
> <http://cr.openjdk.java.net/~fweimer/8061798/webrev.01/>
>
> There are now additional tests which explicitly verify the cipher suite
> list sent by the client.
>
More information about the security-dev
mailing list