diff options
| author | Alex Klyubin <klyubin@google.com> | 2013-11-26 10:53:29 -0800 |
|---|---|---|
| committer | Alex Klyubin <klyubin@google.com> | 2013-12-16 17:19:40 -0800 |
| commit | 53360555a747056b8e599c3e3fb06532e7e30f61 (patch) | |
| tree | a12e54aa57ec6399a82225c548b34026f1ba1094 | |
| parent | 69e4812b123eecf09f1cf12d9072fa2f3c8f65a4 (diff) | |
| download | libcore-53360555a747056b8e599c3e3fb06532e7e30f61.zip libcore-53360555a747056b8e599c3e3fb06532e7e30f61.tar.gz libcore-53360555a747056b8e599c3e3fb06532e7e30f61.tar.bz2 | |
Enable TLSv1.1 and TLSv1.2 by default for SSLSocket.
TLSv1.1 and TLSv1.2 offer built-in protection against BEAST attack
and support for GCM cipher suites.
This change causes TLS/SSL handshake failures with a small fraction
of servers, load balancers and TLS/SSL accelerators with broken
TLS/SSL implementations.
Scans demonstrate that the number is around 0.6%. Breaking
connectivity (using platform default settings) to a tiny minority of
the ecosystem is acceptable because this inconvenience is outweighed
by the added safety for the overwheling majority of the ecosystem.
App developers affected by this issue should consider asking such
servers to be fixed or explicitly disabling TLSv1.1 and TLSv1.2 in
their apps.
Bug: 11220570
Change-Id: Ice9e8ce550401ba5e3385fd369c40f01c06ac7fd
| -rw-r--r-- | luni/src/main/java/javax/net/ssl/SSLSocket.java | 4 | ||||
| -rw-r--r-- | support/src/test/java/libcore/java/security/StandardNames.java | 4 |
2 files changed, 5 insertions, 3 deletions
diff --git a/luni/src/main/java/javax/net/ssl/SSLSocket.java b/luni/src/main/java/javax/net/ssl/SSLSocket.java index 7f41836..0ae4abc 100644 --- a/luni/src/main/java/javax/net/ssl/SSLSocket.java +++ b/luni/src/main/java/javax/net/ssl/SSLSocket.java @@ -55,12 +55,12 @@ import java.net.UnknownHostException; * <tr> * <td>TLSv1.1</td> * <td>16+</td> - * <td></td> + * <td>20+</td> * </tr> * <tr> * <td>TLSv1.2</td> * <td>16+</td> - * <td></td> + * <td>20+</td> * </tr> * </tbody> * </table> diff --git a/support/src/test/java/libcore/java/security/StandardNames.java b/support/src/test/java/libcore/java/security/StandardNames.java index de0d7c2..fecb5c1 100644 --- a/support/src/test/java/libcore/java/security/StandardNames.java +++ b/support/src/test/java/libcore/java/security/StandardNames.java @@ -541,7 +541,9 @@ public final class StandardNames extends Assert { public static final Set<String> SSL_SOCKET_PROTOCOLS_CLIENT_DEFAULT = new HashSet<String>(Arrays.asList( "SSLv3", - "TLSv1")); + "TLSv1", + "TLSv1.1", + "TLSv1.2")); public static final Set<String> SSL_SOCKET_PROTOCOLS_SERVER_DEFAULT = new HashSet<String>(Arrays.asList( "SSLv3", |