Michael Tandy wrote:
Good point. But for FIPS-140 compliant. TLS1.0 should be used, SSL v2 Hello will not be used in a FIPS validated environment.We can enable it always, I think, just as what the EC extension do now. But we need to consider a very small part of old servers which are not ready to read any extension data field, so we might need a approach to disable all extensions. Maybe adding a new system property to switch the extension is not so bad . (Personally, I dislike using system property)Well, for old servers people have the option to use the SSL v2 Hello, in which case the extensions don't get sent. Yes, I do remember that some of the current ssl/tls servers may refuse to accept connections from a client that used TLS extensions. Please refer to [1] and [2].Do you think it's likely a server would require SSL3 or TLS, but wouldn't support hello extensions? Thanks, Andrew [1]: http://blogs.msdn.com/ie/archive/2006/04/17/577702.aspx [2]: http://blogs.msdn.com/wndp/archive/2006/04/12/tls_enabled_by_default.aspx |
- [security-dev 00617]: Re: SNI support in JSSE Michael Tandy
- [security-dev 00621]: Re: SNI support in JSSE Xuelei Fan
- [security-dev 00626]: Re: SNI support in JSSE Michael Tandy
- [security-dev 00627]: Re: SNI support in JSSE Xuelei Fan
- [security-dev 00628]: Re: SNI support in JS... Michael Tandy
- [security-dev 00633]: Re: SNI support ... Xuelei Fan
- [security-dev 00637]: Re: SNI supp... Michael Tandy
- [security-dev 00638]: Re: SNI ... Xuelei Fan
- [security-dev 00666]: Re: SNI ... Michael Tandy