Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Questioning Fix for 485714
On Wed, Mar 16, 2016 at 1:43 PM Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
Take a look at the JVM security setting some time.

I know that file well enough to know off the top of my head that SHA1 is not disabled in the fairly recent JDK 1.8 I'm using. I was curious to know whether they had dropped it since January without my noticing.

The entries for SHA-0 and SHA-1 blocks are coming.

So it's not disabled by default at present, thus the Jetty project is taking a considerably more conservative approach than the latest JVM right now. That's fine, just needs to be clearly communicated. Additionally, Oracle has a good track record of communicating cipher/strength changes in release notes. The DH key size was a recent change that was communicated clearly and prominently.

See your jetty-distribution-9.3.7.v20160115/VERSION.txt

+ 485714 Update SSL configuration to mitigate SLOTH vulnerability

Says nothing about the security impact of the change, which is the point I'm' trying to make. It should say the following:

Disables RSA+MD5 and RSA+SHA1 ciphers by default.

That's a fair criticism, and I hope you'll take it and improve communication in the release announcement and/or changelog in the future.

M

Back to the top