From 53360555a747056b8e599c3e3fb06532e7e30f61 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Tue, 26 Nov 2013 10:53:29 -0800
Subject: Enable TLSv1.1 and TLSv1.2 by default for SSLSocket.

TLSv1.1 and TLSv1.2 offer built-in protection against BEAST attack
and support for GCM cipher suites.

This change causes TLS/SSL handshake failures with a small fraction
of servers, load balancers and TLS/SSL accelerators with broken
TLS/SSL implementations.

Scans demonstrate that the number is around 0.6%. Breaking
connectivity (using platform default settings) to a tiny minority of
the ecosystem is acceptable because this inconvenience is outweighed
by the added safety for the overwheling majority of the ecosystem.

App developers affected by this issue should consider asking such
servers to be fixed or explicitly disabling TLSv1.1 and TLSv1.2 in
their apps.

Bug: 11220570
Change-Id: Ice9e8ce550401ba5e3385fd369c40f01c06ac7fd
---
 luni/src/main/java/javax/net/ssl/SSLSocket.java                | 4 ++--
 support/src/test/java/libcore/java/security/StandardNames.java | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/luni/src/main/java/javax/net/ssl/SSLSocket.java b/luni/src/main/java/javax/net/ssl/SSLSocket.java
index 7f41836..0ae4abc 100644
--- a/luni/src/main/java/javax/net/ssl/SSLSocket.java
+++ b/luni/src/main/java/javax/net/ssl/SSLSocket.java
@@ -55,12 +55,12 @@ import java.net.UnknownHostException;
  *         <tr>
  *             <td>TLSv1.1</td>
  *             <td>16+</td>
- *             <td></td>
+ *             <td>20+</td>
  *         </tr>
  *         <tr>
  *             <td>TLSv1.2</td>
  *             <td>16+</td>
- *             <td></td>
+ *             <td>20+</td>
  *         </tr>
  *     </tbody>
  * </table>
diff --git a/support/src/test/java/libcore/java/security/StandardNames.java b/support/src/test/java/libcore/java/security/StandardNames.java
index de0d7c2..fecb5c1 100644
--- a/support/src/test/java/libcore/java/security/StandardNames.java
+++ b/support/src/test/java/libcore/java/security/StandardNames.java
@@ -541,7 +541,9 @@ public final class StandardNames extends Assert {
     public static final Set<String> SSL_SOCKET_PROTOCOLS_CLIENT_DEFAULT =
             new HashSet<String>(Arrays.asList(
                 "SSLv3",
-                "TLSv1"));
+                "TLSv1",
+                "TLSv1.1",
+                "TLSv1.2"));
     public static final Set<String> SSL_SOCKET_PROTOCOLS_SERVER_DEFAULT =
             new HashSet<String>(Arrays.asList(
                 "SSLv3",
-- 
cgit v1.1