[prev in list] [next in list] [prev in thread] [next in thread]
List: openjdk-security-dev
Subject: Implement TLS_FALLBACK_SCSV for OpenJDK 9
From: Florian Weimer <fweimer () redhat ! com>
Date: 2014-10-16 15:20:40
Message-ID: 543FE248.5030109 () redhat ! com
[Download RAW message or body]
I have implemented TLS_FALLBACK_SCSV for OpenJDK 9:
<https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00>
The justification is that there might be web browsers (with the broken
fallback behavior) which directly connect to HTTPS servers implemented
in Java.
Code review is here:
<https://fweimer.fedorapeople.org/openjdk/tls-fallback-scsv/>
Can I get a bug ID? Then I will include it in a follow-up patch,
together with a test case.
The client-side part is mainly there to support testing the server-side
part, it really should not be used. I do not plan to include it in the
backports because of the public API change.
I have not added a configuration knob to the server-side code because
the risk of it going wrong is extremely low (basically, a client would
have to use the 0x5600 cipher suite value for something else entirely).
There is still an ongoing discussion in IETF TLS WG whether this is a
good idea. I think it is not, others disagree. I wanted to post this
CR nevertheless to avoid duplicating work.
--
Florian Weimer / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic