Author: schultz
Date: Tue Oct 21 15:12:27 2014
New Revision: 1633393
URL: http://svn.apache.org/r1633393
Log:
Revise vote
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1633393&r1=1633392&r2=1633393&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Tue Oct 21 15:12:27 2014
@@ -59,7 +59,7 @@ PATCHES PROPOSED TO BACKPORT:
* Mitigate POODLE by disabling SSLv3 by default for JSSE
http://people.apache.org/~markt/patches/2014-10-21-poodle-tc6-v2.patch
- +1: markt
+ +1: markt, schultz
-1:
-0: kkolinko: I think that JSSESocketFactory.getEnabledProtocols() shall
not return DEFAULT_SERVER_PROTOCOLS list in case if there are no
@@ -71,12 +71,12 @@ PATCHES PROPOSED TO BACKPORT:
I wish there were some debug logging to see what protocols are being
filtered out by "if (protocol.contains("SSL"))".
markt: Addressed in v2 patch
- -0: schultz; I agree with Konstantin's critique. Small adjustments to the
- proposal are in order. Additionally, the code for filtering protocols
- should probably be factored-out into a separte method to ensure
- the filtering stays consistent between the two methods that currently
- do it.
- markt: Addressed in v2 patch
+
+ schultz: it's not clear from the code what will happen if
+ DEFAULT_SERVER_PROTOCOLS remains null. Would it be more clear
+ to use an empty string array instead of null? I seem to recall
+ slightly different "null" behavior in Oracle/OpenJDK versus
+ IBM JVMs.
* Mitigate POODLE by disabling SSLv3 by default for APR/native
http://svn.apache.org/r1632586
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
