Re: [jetty-users] Questioning Fix for 485714

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Questioning Fix for 485714

From: Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx>
Date: Wed, 6 Apr 2016 17:17:12 +0200
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0

Hello all,

How can I change the default behavior changed in this fix in embedded Jetty?

I am running version 9.3.8.v20160314 now and as a result of the upgrade from 9.3.7.v20160115 lost a large percentage of supported browsers/clients (among which android 4.0-4.3, IE8-10 on Win7, Java7 and Safari6.0.4). Perhaps I am offering a too limited set of ciphers? This was not the case with previous version.

I prefer running the latest Jetty but this is a bit too much for me.

Cheers,

Silvio

On 03/17/2016 02:24 PM, Marvin Addison wrote:

On Wed, Mar 16, 2016 at 1:43 PM Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:

Take a look at the JVM security setting some time.

I know that file well enough to know off the top of my head that SHA1 is not disabled in the fairly recent JDK 1.8 I'm using. I was curious to know whether they had dropped it since January without my noticing.

The entries for SHA-0 and SHA-1 blocks are coming.

So it's not disabled by default at present, thus the Jetty project is taking a considerably more conservative approach than the latest JVM right now. That's fine, just needs to be clearly communicated. Additionally, Oracle has a good track record of communicating cipher/strength changes in release notes. The DH key size was a recent change that was communicated clearly and prominently.

See your jetty-distribution-9.3.7.v20160115/VERSION.txt

+ 485714 Update SSL configuration to mitigate SLOTH vulnerability

Says nothing about the security impact of the change, which is the point I'm' trying to make. It should say the following:

Disables RSA+MD5 and RSA+SHA1 ciphers by default.

That's a fair criticism, and I hope you'll take it and improve communication in the release announcement and/or changelog in the future.

M
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

References:
- [jetty-users] Questioning Fix for 485714
  - From: Marvin Addison
- Re: [jetty-users] Questioning Fix for 485714
  - From: Joakim Erdfelt
- Re: [jetty-users] Questioning Fix for 485714
  - From: Marvin Addison
- Re: [jetty-users] Questioning Fix for 485714
  - From: Joakim Erdfelt
- Re: [jetty-users] Questioning Fix for 485714
  - From: Marvin Addison

Prev by Date: Re: [jetty-users] How to access client's TLS certificate with Jetty 8?
Next by Date: [jetty-users] Need Help with Embedded Jetty - Adding multiple context through Mutable Handle Collection
Previous by thread: Re: [jetty-users] Questioning Fix for 485714
Next by thread: [jetty-users] Jetty 9.3.8.v20160314 Released
Index(es):
- Date
- Thread

Breadcrumbs