looks good.
Regards,
Sean.
On 03/08/16 10:23, Xuelei Fan wrote:
New webrev:
http://cr.openjdk.java.net/~xuelei/8162362/webrev.01/
On 8/3/2016 4:13 PM, Seán Coffey wrote:
Hi Xuelei,
Thanks for taking this one on. I think the approach looks good. Some
minor comments ..
Can we update bug description to something like "Introduce system
property to control enabled ciphersuites"
SSLContextImpl.java :
typo : getCustomizedCipehrSuites --> getCustomizedCipherSuites
line 432, if we're in debug mode, can we print the property name handed
in from application code ?
e.g. Something like this might appear : jdk.tls.client.cipherSuites
property set to : "SSL_RSA_WITH_DES_CBC_SHA"
For the testcase, would you mind testing the new value with multiple
comma separated values ?
e.g. -Djdk.tls.client.cipherSuites="unknown, SSL_RSA_WITH_DES_CBC_SHA,
unknown1, TLS_RSA_WITH_AES_128_CBC_SHA"
All above comments get addressed in the new webrev.
On line 200, 205, I think you can then just change your test to a
String.contains("<cipher>") call.
I got the point. I want to use isEmpty() so that it is reminding me
that empty string is special in the context. Let me use the old code.
Thanks,
Xuelei
Regards,
Sean.
On 02/08/2016 16:34, Xuelei Fan wrote:
Ping ...
On 7/29/2016 11:23 PM, Xuelei Fan wrote:
Hi,
Please review the fix for JDK-8162362:
http://cr.openjdk.java.net/~xuelei/8162362/webrev.00/
If a cipher suite is getting weak or vulnerable, it is normally removed
from the default enabled list in JDK. The compatibility impact of the
removing is normally minimal as if there are other available cipher
suites enabled.
However, some applications may want to support the disabled cipher
suites in JDK. If the source code is not accessible, there is not much
workaround to have the cipher suite back to work if it is removed from
the default enabled list in JDK.
This fix introduces two new system properties, which can be used to
customize the default enabled cipher suites.
The system property "jdk.tls.client.cipherSuites" is used to customize
the default enabled cipher suites for client side of SSL/TLS/DTLS
connections. Similarly, the system property
"jdk.tls.server.cipherSuites" is used for server side.
The system property contains a comma-separated list of supported cipher
suite names specifying the default enabled cipher suites. All other
supported cipher suites are disabled for this default setting.
Unrecognized or unsupported cipher suite name specified in the property
is ignored. Explicit setting of enabled cipher suites will override the
system property.
Thanks,
Xuelei
