RFR: 8190492: Remove SSLv2Hello and SSLv3 from default enabled TLS protocols
Sean Mullan
sean.mullan at oracle.com
Thu Dec 5 23:45:25 UTC 2019
Looks good, and I see you have also drafted a CSR for this:
https://bugs.openjdk.java.net/browse/JDK-8235350
This looks good so I added my name as Reviewer. My only comment is that
you could be more specific about the fully-qualified names of the APIs
(instead of just getEnabledProtocols) and the specific system properties.
--Sean
On 12/4/19 4:19 PM, Rajan Halade wrote:
> May I request you to review following fix which removes SSLv2Hello and
> SSLv3 from default enabled protocols.
>
> SSLv3 has been deprecated with RFC 7568. We have already disabled it by
> default in 2015 by adding it to the jdk.tls.disabledAlgorithms property.
> This fix removes it from default enabled list as well. If client/server
> want to use this protocol they can still do so by enabling it with
> setEnabledProtocols() API.
>
> Webrev: http://cr.openjdk.java.net/~rhalade/8190492/webrev.00/
>
> Thanks,
> Rajan
>
More information about the security-dev
mailing list