[ https://issues.apache.org/jira/browse/QPIDJMS-38?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14491601#comment-14491601 ]
JAkub Scholz commented on QPIDJMS-38: ------------------------------------- Is it intentional that the transport.disabledProtocols option doesn't seem to be mentioned in the documentation? > updates to SSL/TLS configuration and/or handling > ------------------------------------------------ > > Key: QPIDJMS-38 > URL: https://issues.apache.org/jira/browse/QPIDJMS-38 > Project: Qpid JMS > Issue Type: Improvement > Components: qpid-jms-client > Reporter: Robbie Gemmell > Assignee: Robbie Gemmell > Fix For: 0.2.0 > > > Some updates to our SSL/TLS configuration and/or handling: > For 0.1.0 the docs said we dont set a default value for the > 'enabledProtocols' transport option, relying on the JVM defaults if none were > configured explicitly. however the code actually did have a default. One of > those enabled was the SSLv2Hello pseudo protocol, which would make the older > Hello format be used even for TLS connections, even though this behaviour is > now disabled by default for client connections since Java 7. The code will be > updated to remove the transport configuration default and let it do what the > docs said by using the defaults given when creating the SSLEngine from the > SSLContext. This will mean that any newer protocols will be useable as they > become available and that we wont explicitly enable protocols by default that > might become disabled for security reasons (e.g like SSLv3 has been disabled > in many JVMs now). The transport code will be updated to explicitly diasable > SSLv2Hello and SSLv3 rather than relying on them not being configured as > enabled. > The SSLContext instance is created using a hard coded protocol option of > "TLS" currently. This should be configurable to allow users to choose the > value most appropriate to their needs/JVM. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org