I haven't reviewed the changes, but since this has potential
compatibility impact, this will also require a CCC request. You might
want to submit it now, and make any adjustments later based on the code
review.
--Sean
On 01/12/2012 10:17 AM, Xuelei Fan wrote:
Hi,
webrev: http://cr.openjdk.java.net/~xuelei/7093640/webrev.00/
It's time to enable TLS 1.1 and TLS 1.2 in JDK by default.
There is a known tls-version-number tolerant issue for deployed SSL
servers. That is, some servers cannot work with clients whose TLS
version number is bigger than or equals to TLS 1.0. It only happens to
very very very very old and few servers now.
In JDK 7, because of known server tls-version-number tolerant issues ,
TLS 1.1 and TLS 1.2 is not enabled by default in JSSE client.
TLS 1.1 is able to avoid the CBC issues in TLS 1.0 and previous
releases; and TLS 1.2 is able to use stronger hash functions. As the
tls-version-number tolerant issues have been decreasing recent years,
and the industry is purchasing to use new TLS versions in order to avoid
CBC attack and comply to new hash policy, it's time for us to consider
enable TLS 1.1 and TLS 1.2 in JSSE client by default.
I know that because there are a few very old servers refuse to or cannot
upgrade to latest TLS implementations, we may run into a few
compatibility issue because of TLS-version-number tolerant issues. But
what's the right time to make use of the advanced features for most of us?
It's time to enable TLS 1.1 and TLS 1.2 in JDK by default.
Please review the the changes.
Thanks,
Xuelei
