[jira] [Commented] (QPIDJMS-38) updates to SSL/TLS configuration and/or handling

Mon, 20 Apr 2015 05:10:27 -0700 

    [ 
https://issues.apache.org/jira/browse/QPIDJMS-38?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14502706#comment-14502706
 ] 

ASF subversion and git services commented on QPIDJMS-38:
--------------------------------------------------------

Commit 2a5f89a1c144c0734491c9264de08c08627e4033 in qpid-jms's branch 
refs/heads/master from Robert Gemmell
[ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=2a5f89a ]

QPIDJMS-38: use enabled protocols as starting point in the tests, avoiding 
issues from on-the-fly SSLv3 disabling performed by newer JVMs


> updates to SSL/TLS configuration and/or handling
> ------------------------------------------------
>
>                 Key: QPIDJMS-38
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-38
>             Project: Qpid JMS
>          Issue Type: Improvement
>          Components: qpid-jms-client
>            Reporter: Robbie Gemmell
>            Assignee: Robbie Gemmell
>             Fix For: 0.2.0
>
>
> Some updates to our SSL/TLS configuration and/or handling:
> For 0.1.0 the docs said we dont set a default value for the 
> 'enabledProtocols' transport option, relying on the JVM defaults if none were 
> configured explicitly. however the code actually did have a default. One of 
> those enabled was the SSLv2Hello pseudo protocol, which would make the older 
> Hello format be used even for TLS connections, even though this behaviour is 
> now disabled by default for client connections since Java 7. The code will be 
> updated to remove the transport configuration default and let it do what the 
> docs said by using the defaults given when creating the SSLEngine from the 
> SSLContext. This will mean that any newer protocols will be useable as they 
> become available and that we wont explicitly enable protocols by default that 
> might become disabled for security reasons (e.g like SSLv3 has been disabled 
> in many JVMs now). The transport code will be updated to explicitly diasable 
> SSLv2Hello and SSLv3 rather than relying on them not being configured as 
> enabled.
> The SSLContext instance is created using a hard coded protocol option of 
> "TLS" currently. This should be configurable to allow users to choose the 
> value most appropriate to their needs/JVM.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to