[security-dev 00633]: Re: SNI support in JSSE

[Xuelei Fan]

Michael Tandy wrote: We can enable it always, I think, just as what the EC extension do now. But we need to consider a very small part of old servers which are not ready to read any extension data field, so we might need a approach to disable all extensions. Maybe adding a new system property to switch the extension is not so bad . (Personally, I dislike using system property) Well, for old servers people have the option to use the SSL v2 Hello, in which case the extensions don't get sent. Good point. But for FIPS-140 compliant. TLS1.0 should be used, SSL v2 Hello will not be used in a FIPS validated environment. Do you think it's likely a server would require SSL3 or TLS, but wouldn't support hello extensions? Yes, I do remember that some of the current ssl/tls servers may refuse to accept connections from a client that used TLS extensions. Please refer to [1] and [2]. Thanks, Andrew [1]: http://blogs.msdn.com/ie/archive/2006/04/17/577702.aspx [2]: http://blogs.msdn.com/wndp/archive/2006/04/12/tls_enabled_by_default.aspx