RFR: 8190492: Remove SSLv2Hello and SSLv3 from default enabled TLS protocols

Rajan Halade RAJAN.HALADE at ORACLE.COM
Thu Dec 5 22:12:23 UTC 2019


The method at line 596 is only called at line 855 from customizedProtocols class. It should really be read as getServerDefaultProtocols. Supported protocols are returned correctly on SSLEngine, SSLServerSocket, and SSLSocket.

I thought about cleaning/renaming it but then AbstractTLSContext already has serverDefaultProtocols and getProtocols() in customizedProtocols can also be moved out. I will file a separate bug to handle these cleanups.
 
Thanks,
Rajan

> On Dec 4, 2019, at 5:18 PM, Bradford Wetmore <bradford.wetmore at oracle.com> wrote:
> 
> In line 601, doesn't this mean that SSL3/SSL20Hello are not longer available as supported, and that you can't turn them back on?
> 
> Brad
> 
> 
> On 12/4/2019 1:19 PM, Rajan Halade wrote:
>> May I request you to review following fix which removes SSLv2Hello and SSLv3 from default enabled protocols.
>> SSLv3 has been deprecated with RFC 7568. We have already disabled it by default in 2015 by adding it to the jdk.tls.disabledAlgorithms property. This fix removes it from default enabled list as well. If client/server want to use this protocol they can still do so by enabling it with setEnabledProtocols() API.
>> Webrev: http://cr.openjdk.java.net/~rhalade/8190492/webrev.00/
>> Thanks,
>> Rajan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20191205/40e50e27/attachment.htm>


More information about the security-dev mailing list