Here's a slightly updated version of the patch to implement TLS_FALLBACK_SCSV:
<http://cr.openjdk.java.net/~fweimer/8061798/webrev.01/> Compared to the previous version, I added a references to RFC 7507, and addressed some drift in CipherSuite.java. I still believe very strongly that the additional APIs are desirable. If we put the cipher suite into the regular cipher suite selector, administrators will add it to application configurations “to fix POODLE”. This works fine right now, but will create a new form of TLS intolerance once servers start supporting TLS 1.3. With separate APIs, this is less likely because for this to happen, applications would have to actually support this as a configuration option, which hopefully will not pass code review. For the backport to JDK8, I propose to backport the server-side change only, so there will be no API impact. -- Florian Weimer / Red Hat Product Security
