CSR Review Request JDK-816826, Use server cipher suites preference by default
Xuelei Fan
xuelei.fan at oracle.com
Tue Mar 12 17:12:37 UTC 2019
On 3/12/2019 6:05 AM, Sean Mullan wrote:
> Looks good, but a couple of comments:
>
> In the Solution section, it says: "Applications can change the behavior
> with the existing SSLParameters.setUseCipherSuitesOrder() method."
>
> I think you should be more clear that this means applications can change
> the order of the server's preferred cipher suites. There will be no way
> to go back to the previous behavior where the client's order is respected.
>
If a server call SSLParameters.setUseCipherSuitesOrder(false), the
client's order is respected.
> Same comment in the proposed Release Note, although I don't think this
> section needs to be in the CSR, does it?
>
It's not a required part of the CSR. I use this section to have the
release note reviewed as well. I will remove this section as it is a
kind of duplication of the release-note entry.
Thanks,
Xuelei
> --Sean
>
> On 2/25/19 12:36 PM, Xuelei Fan wrote:
>> Hi,
>>
>> Could I have the following CSR reviewed?
>> https://bugs.openjdk.java.net/browse/JDK-8219657
>>
>> It is proposing to use server cipher suite preference by default for
>> TLS connections in JDK. In the current implementation, the server
>> honors the client cipher suite preference by default. It is easier to
>> maintain if using the server cipher suite preference, and then the
>> server can have more control over the security parameters of TLS
>> connections.
>>
>> I think the compatibility impact should be minimal. If there is a
>> known risk for you, please let me know by the end of March 4, 2019.
>>
>> Thanks,
>> Xuelei
More information about the security-dev
mailing list