Hello, I know there is a Oracle article on Java SE vs. Poodle which essentially describes https.protocols for java.net.URL and jdk.tls.client.protocols for default SSLContext in JDK8+.
What is not described is if there is any out of band protocol fallback implemented (especially in https handler). I think there is none, at least I have'nt seen any, but maybe somebody else can tell? If there is none, the client side would not be that critical. I also wonder if this also means there should be a jdk.tls.client.protocols,blacklist and jdk.tls.server.protocols.blacklist property which cannot be circumvented (i.e. works with all requested protocols and even when enable is called). (and maybe jdk.tls.*.cipher.blacklist as well) Besides that, any news on the FALLBACK_SCSV patch from Florian? Gruss Bernd
