[9] RFC: 8061798: Add support for TLS_FALLBACK_SCSV (RFC 7507)

Florian Weimer fweimer at redhat.com
Tue May 5 18:54:56 UTC 2015


Here's a slightly updated version of the patch to implement
TLS_FALLBACK_SCSV:

  <http://cr.openjdk.java.net/~fweimer/8061798/webrev.01/>

Compared to the previous version, I added a references to RFC 7507, and
addressed some drift in CipherSuite.java.

I still believe very strongly that the additional APIs are desirable.
If we put the cipher suite into the regular cipher suite selector,
administrators will add it to application configurations “to fix
POODLE”.  This works fine right now, but will create a new form of TLS
intolerance once servers start supporting TLS 1.3.  With separate APIs,
this is less likely because for this to happen, applications would have
to actually support this as a configuration option, which hopefully will
not pass code review.

For the backport to JDK8, I propose to backport the server-side change
only, so there will be no API impact.

-- 
Florian Weimer / Red Hat Product Security


More information about the security-dev mailing list