RFR: 8190492: Remove SSLv2Hello and SSLv3 from default enabled TLS protocols

Sean Mullan sean.mullan at oracle.com
Thu Dec 5 23:45:25 UTC 2019

Looks good, and I see you have also drafted a CSR for this:


This looks good so I added my name as Reviewer. My only comment is that 
you could be more specific about the fully-qualified names of the APIs 
(instead of just getEnabledProtocols) and the specific system properties.


On 12/4/19 4:19 PM, Rajan Halade wrote:
> May I request you to review following fix which removes SSLv2Hello and 
> SSLv3 from default enabled protocols.
> SSLv3 has been deprecated with RFC 7568. We have already disabled it by 
> default in 2015 by adding it to the jdk.tls.disabledAlgorithms property. 
> This fix removes it from default enabled list as well. If client/server 
> want to use this protocol they can still do so by enabling it with 
> setEnabledProtocols() API.
> Webrev: http://cr.openjdk.java.net/~rhalade/8190492/webrev.00/
> Thanks,
> Rajan

More information about the security-dev mailing list