> Good point. But for FIPS-140 compliant. TLS1.0 should be used, SSL v2 Hello > will not be used in a FIPS validated environment.
On the subject of FIPS, perhaps you can answer a question: I gather we have FIPS support [3], but from the documentation [4] I've got no idea of how to enable it. >> Do you think it's likely a server would require SSL3 or TLS, but >> wouldn't support hello extensions? > > Yes, I do remember that some of the current ssl/tls servers may refuse to > accept connections from a client that used TLS extensions. Please refer to > [1] and [2]. OK, so as I see it our options are: (a) don't include client SNI support in OpenJDK 7 (b) include SNI support with no API to turn it off, which will break some servers (c) use a system property to work around the API freeze, add a proper API to the next version, and maintain support for the workaround forever (d) use a system property to work around the API freeze, add a proper API to the next version, and break the workaround in the next version None of those options sound very good to me. What do you think we should do? Michael [3] http://java.sun.com/javase/6/docs/technotes/guides/security/enhancements.html [4] http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html