[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] Questioning Fix for 485714
|
Hi,
On Wed, Mar 16, 2016 at 3:46 PM, Marvin Addison
<marvin.addison@xxxxxxxxx> wrote:
> I'm troubled by the following commit:
>
> https://github.com/eclipse/jetty.project/commit/0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb
>
> That prevents the following cipher suites _by default_ required for TLS1
> interoperability according to NIST [1]:
> SSL_RSA_WITH_3DES_EDE_CBC_SHA
> TLS_RSA_WITH_AES_128_CBC_SHA
>
> In our testing, this effectively requires clients to negotiate TLS 1.2
> connections, which is simply impractical. While our strict set of cipher
> suites may be contributing to this behavior, it's a pretty dramatic change
> in defaults for a patch release (9.3.6-9.3.7). I appreciate your desire to
> ship secure defaults, but I think this may go too far. Of course it's an
> easy fix to explicitly configure all SSL protocol settings explicitly, but I
> burnt several hours tracking down what to override. I encourage you to
> reconsider.
Well, on the other hand, exactly because of this change you became
aware of security vulnerabilities that you may have missed :)
It is always a tough call; given that "minor" Jetty releases (e.g. 9.3
-> 9.4) may take several months, it may not be considered sensible
that we delay safer defaults for such a long time.
If you have an idea on how to handle this better, providing prompt
safer defaults without breaking apps, we are all ears.
Thanks !
--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
