Brad, Has there been any move to support TLS in oracle JRE? In terms of the continued use of SHA-1, here is a useful site that summarises various recommendations and most state that SHA-1 should be phased out now.
http://www.keylength.com/en/3/ I can see that openjdk now includes TLS 1.2 which is great. We are looking to replace all use of SHA-1 but use the standard JRE not openjdk. Regards, Martin -----Original Message----- From: security-dev-boun...@openjdk.java.net [mailto:security-dev-boun...@openjdk.java.net] On Behalf Of Bradford Wetmore Sent: 20 April 2010 22:49 To: Christopher Wood ( Ottawa ); 'security-dev@openjdk.java.net'; briefkas...@uebber.de Subject: Re: Support for TLS 1.1 & 1.2 Christian/Christopher and any others, On 1/7/2010 8:47 AM, Christopher Wood ( Ottawa ) wrote: > 1. In a previous email (January 2008) ...referring to Christian's email... http://mail.openjdk.java.net/pipermail/security-dev/2008-January/000054.html > asked about support for > TLS 1.1. The reply indicated that it was planned for J2SE 7 and that > the implementation was in progress; is that still the case? We had made some progress, but some higher-priority issues came up and it got back-burnered. > 2. Are there any plans to support TLS 1.2? If so, in what release and > timeframe? With all the transitions going on around here, we're now regrouping on the question of *BOTH* TLS 1.1 and 1.2 support. We're going to be re-proposing TLS 1.1/1.2 for a future JDK release. We've been pulling together our own reasons, but having actual customer feedback will help our case for completing this work. Any information you can supply about your needs may be added to our proposal. Feel free to reply directly to me if you'd rather not discuss your needs in a public forum. Thanks, Brad
