RFR [13] JDK-8168261: Use server cipher suites preference by default
Xuelei Fan
xuelei.fan at oracle.com
Fri Mar 29 15:23:13 UTC 2019
On 3/28/2019 12:33 PM, Sean Mullan wrote:
> On 3/28/19 10:50 AM, Xuelei Fan wrote:
>> ping ...
>>
>> Xuelei
>>
>> On 3/21/2019 8:24 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Could I get the update reviewed?
>>> http://cr.openjdk.java.net/~xuelei/8168261/webrev.00/
>>>
>>> With this update, server cipher suite preference will be used by
>>> default for TLS handshaking in the SunJSSE provider. For more
>>> details, please refer to CSR:
>>> https://bugs.openjdk.java.net/browse/JDK-8219657
>
> Can you explain why the change in SSLContextSpi was necessary?
>
There is a bug in the implementation.
The spec says:
"The default implementation obtains the parameters from an
SSLSocket ..."
The parameters should be populated by the socket.
> Also, why do we need to override the engine methods in SSLContextImpl?
> Probably something simple, but not seeing the reason just from the diffs
> ...
>
The SSLContextSpi implementation uses default SSLSocket instance for the
parameters, which does not apply to DTLS protocols as the SunJSSE
provider does not support DTLS protocols.
If we update SSLContextSpi within this update, the SSLContextImpl update
is not necessary any more.
Here is the new webrev that removes the SSLContextImpl update:
http://cr.openjdk.java.net/~xuelei/8168261/webrev.01/
Thanks,
Xuelei
More information about the security-dev
mailing list