Bug 1188742

Summary: java-1.8.0-openjdk: TLS_FALLBACK_SCSV support
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: java-1.8.0-openjdkAssignee: Andrew John Hughes <ahughes>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: ahughes, dbhole, fweimer, jerboaa, jvanek, mgrigull, omajid
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 12:45:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florian Weimer 2015-02-03 15:36:50 UTC 
This bug is there to track the addition of TLS_FALLBACK_SCSV support to OpenJDK.  There is some discussion upstream:

  <http://mail.openjdk.java.net/pipermail/security-dev/2015-February/011688.html>

Webrev:

  <http://cr.openjdk.java.net/~fweimer/8061798/webrev.00/>

I'm not saying we absolute have to apply this *now*, but I'll try to convince upstream to implement this proactively, rather than waiting for requests to implement this coming in.
Comment 1 Andrew John Hughes 2015-02-03 22:16:17 UTC 
Do you have a version of this for 8 already? We can't alter SSLParameters in 8 or below, as it's part of the Java API.
Comment 2 Florian Weimer 2015-02-04 06:35:31 UTC 
For 8, I plan to backport only the server-side change, and we'll have to test it with another client (either the 9 client, or OpenSSL).

On upstream's security-dev list, there has been a push to handle this via the regular cipher suite selection, but I'm strongly opposed to that because it is asking for developers and system administrators for abusing this feature.
Comment 3 Jaroslav Reznik 2015-03-03 16:49:12 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 4 Florian Weimer 2015-08-28 05:56:13 UTC 
Latest webrev and review request:


http://mail.openjdk.java.net/pipermail/security-dev/2015-August/012624.html
http://cr.openjdk.java.net/~fweimer/8061798/webrev.03/
Comment 5 Andrew John Hughes 2016-05-05 13:07:32 UTC 
What's the latest status of this?
Comment 6 Florian Weimer 2016-05-05 13:40:54 UTC 
(In reply to Andrew John Hughes from comment #5)
> What's the latest status of this?

I don't know.  There still seems to be some upstream interest, but I don't know the exact state.  Is there still a compelling reason to implement TLS_FALLBACK_SCSV?  I'm no longer sure if it is necessary—I think browsers have stopped doing out-of-protocol fallback.
Comment 7 Fedora End Of Life 2016-07-19 12:45:35 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 8 Florian Weimer 2017-03-13 11:44:05 UTC 
I don't think this feature is necessary anymore because insecure protocol downgrade has been phased out from the client population.