Looks good, but a couple of comments:
In the Solution section, it says: "Applications can change the behavior
with the existing SSLParameters.setUseCipherSuitesOrder() method."
I think you should be more clear that this means applications can change
the order of the server's preferred cipher suites. There will be no way
to go back to the previous behavior where the client's order is respected.
Same comment in the proposed Release Note, although I don't think this
section needs to be in the CSR, does it?
--Sean
On 2/25/19 12:36 PM, Xuelei Fan wrote:
Hi,
Could I have the following CSR reviewed?
https://bugs.openjdk.java.net/browse/JDK-8219657
It is proposing to use server cipher suite preference by default for TLS
connections in JDK. In the current implementation, the server honors the
client cipher suite preference by default. It is easier to maintain if
using the server cipher suite preference, and then the server can have
more control over the security parameters of TLS connections.
I think the compatibility impact should be minimal. If there is a known
risk for you, please let me know by the end of March 4, 2019.
Thanks,
Xuelei
