The fix looks harmless, but I don't understand the test. What happens if SSLv2Hello is filtered out?
--Max On Jul 30, 2014, at 20:56, Xuelei Fan <xuelei....@oracle.com> wrote: > Hi, > > Please review this fix for JDK-8052406: > > Webrev: http://cr.openjdk.java.net/~xuelei/8052406/webrev.00/ > JBS: https://bugs.openjdk.java.net/browse/JDK-8049321 > > For TLS connections, if no suitable cipher suite available for a > particular TLS protocol, such protocol should not be negotiated. For > example, if only "TLS_RSA_WITH_AES_128_CBC_SHA256" enabled, as it is > only supported by TLS version 1.2, the connection should be negotiated > TLS version 1 and 1.1. > > In SunJSSE implementation, we check the binding of enabled protocols and > enabled cipher suites. SSLv2Hello may be improperly filter out when > making the checking above. Actually, SSLv2Hello is not a real SSL/TLS > protocol, it is only used as the format of ClientHello message. If > SSLv2Hello is enabled, it should not be filter out. > > This fix address the SunJSSE problem implementation above. > > Thanks, > Xuelei
