RFR [13] JDK-8168261: Use server cipher suites preference by default
Sean Mullan
sean.mullan at oracle.com
Mon Apr 1 19:34:28 UTC 2019
On 3/29/19 11:23 AM, Xuelei Fan wrote:
> On 3/28/2019 12:33 PM, Sean Mullan wrote:
>> On 3/28/19 10:50 AM, Xuelei Fan wrote:
>>> ping ...
>>>
>>> Xuelei
>>>
>>> On 3/21/2019 8:24 PM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> Could I get the update reviewed?
>>>> http://cr.openjdk.java.net/~xuelei/8168261/webrev.00/
>>>>
>>>> With this update, server cipher suite preference will be used by
>>>> default for TLS handshaking in the SunJSSE provider. For more
>>>> details, please refer to CSR:
>>>> https://bugs.openjdk.java.net/browse/JDK-8219657
>>
>> Can you explain why the change in SSLContextSpi was necessary?
>>
> There is a bug in the implementation.
>
> The spec says:
> "The default implementation obtains the parameters from an
> SSLSocket ..."
>
> The parameters should be populated by the socket.
>
>> Also, why do we need to override the engine methods in SSLContextImpl?
>> Probably something simple, but not seeing the reason just from the
>> diffs ...
>>
> The SSLContextSpi implementation uses default SSLSocket instance for the
> parameters, which does not apply to DTLS protocols as the SunJSSE
> provider does not support DTLS protocols.
>
> If we update SSLContextSpi within this update, the SSLContextImpl update
> is not necessary any more.
>
> Here is the new webrev that removes the SSLContextImpl update:
> http://cr.openjdk.java.net/~xuelei/8168261/webrev.01/
Ok, looks good.
--Sean
More information about the security-dev
mailing list