[9] RFC: 8061798: Add support for TLS_FALLBACK_SCSV (RFC 7507)

Xuelei Fan xuelei.fan at oracle.com
Tue May 5 23:42:13 UTC 2015


As additional APIs are strongly desired, what do you think to make the
API more general and easy to use?  For example, using the name:

    SSLParameters.setUseFallbackMode(boolean isFallback)
    boolean SSLParameters.getuseFallbackMode()

We can implement more for this parameters if need to take care of
additional more problems during fallback negotiation.  Instinctively,
developers and code reviewers would not call this APIs unless this is a
real fallback negotiation, I think.

Thanks,
Xuelei

On 5/6/2015 2:54 AM, Florian Weimer wrote:
> Here's a slightly updated version of the patch to implement
> TLS_FALLBACK_SCSV:
> 
>   <http://cr.openjdk.java.net/~fweimer/8061798/webrev.01/>
> 
> Compared to the previous version, I added a references to RFC 7507, and
> addressed some drift in CipherSuite.java.
> 
> I still believe very strongly that the additional APIs are desirable.
> If we put the cipher suite into the regular cipher suite selector,
> administrators will add it to application configurations “to fix
> POODLE”.  This works fine right now, but will create a new form of TLS
> intolerance once servers start supporting TLS 1.3.  With separate APIs,
> this is less likely because for this to happen, applications would have
> to actually support this as a configuration option, which hopefully will
> not pass code review.
> 
> For the backport to JDK8, I propose to backport the server-side change
> only, so there will be no API impact.
> 



More information about the security-dev mailing list