https://issues.apache.org/bugzilla/show_bug.cgi?id=57464
Konstantin Kolinko <knst.koli...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #2 from Konstantin Kolinko <knst.koli...@gmail.com> ---
As far as I am reading this, the check for presence of TLS_FALLBACK_SCSV
cipher in cipher list provided by client should happen during protocol & cipher
negotiation in TLS/SSL library.
That happens outside of Tomcat control. If the feature is implemented in the
underlying libraries (Java JSSE, OpenSSL) then I think it will be available
automatically, if they would have it "on" by default.
At most Tomcat could provide options to control turning the feature off/on, if
such options are provided by the underlying libraries.
Looking at OpenSSL changelog, this feature is available since 1.0.1j. As far as
I understand, it is "on" by default, and I have not heard of a way to turn it
off.
The following blog post says how to test it:
https://dwradcliffe.com/2014/10/16/testing-tls-fallback.html
To clarify: TLS_FALLBACK_SCSV is a generic mechanism to protect from protocol
downgrades. For example it can protect from a TLS 1.2 -> TLS 1.1 downgrade
caused a MITM / unreliable network.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
