CSR Review Request JDK-816826, Use server cipher suites preference by default
Sean Mullan
sean.mullan at oracle.com
Tue Mar 12 17:27:25 UTC 2019
On 3/12/19 1:12 PM, Xuelei Fan wrote:
> On 3/12/2019 6:05 AM, Sean Mullan wrote:
>> Looks good, but a couple of comments:
>>
>> In the Solution section, it says: "Applications can change the
>> behavior with the existing SSLParameters.setUseCipherSuitesOrder()
>> method."
>>
>> I think you should be more clear that this means applications can
>> change the order of the server's preferred cipher suites. There will
>> be no way to go back to the previous behavior where the client's order
>> is respected.
>>
> If a server call SSLParameters.setUseCipherSuitesOrder(false), the
> client's order is respected.
Oh, ok, I retract my comment then. When I read this, I had
misinterpreted this to be the method that you use to set the enabled suites.
--Sean
>
>> Same comment in the proposed Release Note, although I don't think this
>> section needs to be in the CSR, does it?
>>
> It's not a required part of the CSR. I use this section to have the
> release note reviewed as well. I will remove this section as it is a
> kind of duplication of the release-note entry.
>
> Thanks,
> Xuelei
>
>> --Sean
>>
>> On 2/25/19 12:36 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Could I have the following CSR reviewed?
>>> https://bugs.openjdk.java.net/browse/JDK-8219657
>>>
>>> It is proposing to use server cipher suite preference by default for
>>> TLS connections in JDK. In the current implementation, the server
>>> honors the client cipher suite preference by default. It is easier to
>>> maintain if using the server cipher suite preference, and then the
>>> server can have more control over the security parameters of TLS
>>> connections.
>>>
>>> I think the compatibility impact should be minimal. If there is a
>>> known risk for you, please let me know by the end of March 4, 2019.
>>>
>>> Thanks,
>>> Xuelei
More information about the security-dev
mailing list