RFR: 8190492: Remove SSLv2Hello and SSLv3 from default enabled TLS protocols

Bradford Wetmore bradford.wetmore at oracle.com
Thu Dec 5 01:18:42 UTC 2019

In line 601, doesn't this mean that SSL3/SSL20Hello are not longer 
available as supported, and that you can't turn them back on?


On 12/4/2019 1:19 PM, Rajan Halade wrote:
> May I request you to review following fix which removes SSLv2Hello and 
> SSLv3 from default enabled protocols.
> SSLv3 has been deprecated with RFC 7568. We have already disabled it by 
> default in 2015 by adding it to the jdk.tls.disabledAlgorithms property. 
> This fix removes it from default enabled list as well. If client/server 
> want to use this protocol they can still do so by enabling it with 
> setEnabledProtocols() API.
> Webrev: http://cr.openjdk.java.net/~rhalade/8190492/webrev.00/
> Thanks,
> Rajan

More information about the security-dev mailing list