CSR Review Request JDK-816826, Use server cipher suites preference by default

Sean Mullan sean.mullan at oracle.com
Tue Mar 12 13:05:12 UTC 2019


Looks good, but a couple of comments:

In the Solution section, it says: "Applications can change the behavior 
with the existing SSLParameters.setUseCipherSuitesOrder​() method."

I think you should be more clear that this means applications can change 
the order of the server's preferred cipher suites. There will be no way 
to go back to the previous behavior where the client's order is respected.

Same comment in the proposed Release Note, although I don't think this 
section needs to be in the CSR, does it?

--Sean

On 2/25/19 12:36 PM, Xuelei Fan wrote:
> Hi,
> 
> Could I have the following CSR reviewed?
>     https://bugs.openjdk.java.net/browse/JDK-8219657
> 
> It is proposing to use server cipher suite preference by default for TLS 
> connections in JDK. In the current implementation, the server honors the 
> client cipher suite preference by default. It is easier to maintain if 
> using the server cipher suite preference, and then the server can have 
> more control over the security parameters of TLS connections.
> 
> I think the compatibility impact should be minimal.  If there is a known 
> risk for you, please let me know by the end of March 4, 2019.
> 
> Thanks,
> Xuelei



More information about the security-dev mailing list