On 4/14/2015 2:25 AM, Thomas Lußnig wrote: > Hi, > > i checked the CipherSuites in JDK and found that in the JDK there is and > mistake i think. > In CipherSuite the method add set the PRF to NONE only if obsoleted less > than TLSv1.2. > But if the suite is forbidden / obsoleted in TLSv1.2 the check must be > <= (less or equal) Can you explain more about this point?
Xuelei > if i am correct. > > http://grepcode.com/file_/repository.grepcode.com/java/root/jdk/openjdk/8-b132/sun/security/ssl/CipherSuite.java/?v=source > > /* > * Use this method when there is no lower protocol limit where this > * suite can be used, and the PRF is P_SHA256. That is, the > * existing ciphersuites. From RFC 5246: > * > * All cipher suites in this document use P_SHA256. > */ > private static void add(String name, int id, int priority, > KeyExchange keyExchange, BulkCipher cipher, > boolean allowed, int obsoleted) { > // If this is an obsoleted suite, then don't let the TLS 1.2 > // protocol have a valid PRF value. > PRF prf = P_SHA256; > if (obsoleted < ProtocolVersion.TLS12.v) { > prf = P_NONE; > } > > add(name, id, priority, keyExchange, cipher, allowed, obsoleted, > ProtocolVersion.LIMIT_MIN_VALUE, prf); > } > > Gruß Thomas >
