Upgraded SSLContext#getInstance() TLS versions to match current best practices #3
Conversation
|
I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it? If this change was not helpful, or you have suggestions for improvements, please let me know! |
|
TLS 1.1 and previous are broken and TLS 1.2 is supported by ~99% of web clients, including most non-browser HTTP clients. There are legacy devices connected to the Internet that don't have upgraded firmware (i.e., an Internet-enabled TV from 2005, a point-of-sales machine using IE8). Unless your service needs to connect to relatively ancient partners like this, you should merge this. Just as an aside, you may also be motivated to merge this change based on the fact that TLS 1.2 is actually faster than previous versions. It has less round-trip steps during its negotiation phase and prefers more efficient cipher suites. If there are other concerns about this change, I'd love to hear about them! |
|
This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know! You can also customize me to make sure I'm working with you in the way you want. |
This change ensures that
SSLContext#getInstance()uses a safe version of Transport Layer Security (TLS), which is necessary for safe SSL connections.TLS v1.0 and TLS v1.1 both have serious issues and are considered unsafe. Right now, the only safe version to use is 1.2.
Our change involves modifying the arguments to
getInstance()to return TLSv1.2 when it can be confirmed to be another, less secure value:There is no functional difference between the unsafe and safe versions, and all modern servers offer TLSv1.2.
More reading
I have additional improvements ready for this repo! If you want to see them, leave the comment:
... and I will open a new PR right away!
🧚🤖 Powered by Pixeebot
Feedback | Community | Docs | Codemod ID: pixee:java/upgrade-sslcontext-tls