Author: schultz Date: Tue Oct 21 15:12:27 2014 New Revision: 1633393 URL: http://svn.apache.org/r1633393 Log: Revise vote
Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1633393&r1=1633392&r2=1633393&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Tue Oct 21 15:12:27 2014 @@ -59,7 +59,7 @@ PATCHES PROPOSED TO BACKPORT: * Mitigate POODLE by disabling SSLv3 by default for JSSE http://people.apache.org/~markt/patches/2014-10-21-poodle-tc6-v2.patch - +1: markt + +1: markt, schultz -1: -0: kkolinko: I think that JSSESocketFactory.getEnabledProtocols() shall not return DEFAULT_SERVER_PROTOCOLS list in case if there are no @@ -71,12 +71,12 @@ PATCHES PROPOSED TO BACKPORT: I wish there were some debug logging to see what protocols are being filtered out by "if (protocol.contains("SSL"))". markt: Addressed in v2 patch - -0: schultz; I agree with Konstantin's critique. Small adjustments to the - proposal are in order. Additionally, the code for filtering protocols - should probably be factored-out into a separte method to ensure - the filtering stays consistent between the two methods that currently - do it. - markt: Addressed in v2 patch + + schultz: it's not clear from the code what will happen if + DEFAULT_SERVER_PROTOCOLS remains null. Would it be more clear + to use an empty string array instead of null? I seem to recall + slightly different "null" behavior in Oracle/OpenJDK versus + IBM JVMs. * Mitigate POODLE by disabling SSLv3 by default for APR/native http://svn.apache.org/r1632586 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org