javasecurityssljssebeast

Does the JSSE in Oracle JDK8 implements TLS Fallback SCSV?


It looks like JSSE in OpenJDK version 8 does not implement RFC7507. There is an open defect in OpenJDK bug tracker: JDK-8061798

But there is not much information about the Oracle JDK. Does the Oracle JDK version 8 implement TLS Fallback Signaling Cipher Suite Value (SCSV)? And if it does how this feature can be enabled?


Solution

  • I can find no evidence to suggest that the Oracle JDK 8 supports this feature.

    It seems that the reason that the RFE in JDK-8061798 was not acted on is that this would be a breaking change. A comments on the above says:

    As mentioned in the SSLParameters, this requires an API change for JDK 9, and likely can't be done for shipping JDK's.


    UPDATE: The RFE was closed (WillNotFix) on 27th July 2017. The comments say that it was deemed unnecessary, since current mainstream web browsers no longer support this (legacy) feature. However comments say that if this changes, the RFE could be reopened.