CSR Review Request JDK-816826, Use server cipher suites preference by default
Sean Mullan
sean.mullan at oracle.com
Tue Mar 12 13:05:12 UTC 2019
Looks good, but a couple of comments:
In the Solution section, it says: "Applications can change the behavior
with the existing SSLParameters.setUseCipherSuitesOrder() method."
I think you should be more clear that this means applications can change
the order of the server's preferred cipher suites. There will be no way
to go back to the previous behavior where the client's order is respected.
Same comment in the proposed Release Note, although I don't think this
section needs to be in the CSR, does it?
--Sean
On 2/25/19 12:36 PM, Xuelei Fan wrote:
> Hi,
>
> Could I have the following CSR reviewed?
> https://bugs.openjdk.java.net/browse/JDK-8219657
>
> It is proposing to use server cipher suite preference by default for TLS
> connections in JDK. In the current implementation, the server honors the
> client cipher suite preference by default. It is easier to maintain if
> using the server cipher suite preference, and then the server can have
> more control over the security parameters of TLS connections.
>
> I think the compatibility impact should be minimal. If there is a known
> risk for you, please let me know by the end of March 4, 2019.
>
> Thanks,
> Xuelei
More information about the security-dev
mailing list