On Wed, Mar 16, 2016 at 9:00 AM, Marvin Addison <[email protected]> wrote:
> On Wed, Mar 16, 2016 at 11:31 AM Joakim Erdfelt <[email protected]> > wrote: > >> Also note that these SSL/TLS restrictions are being implemented at the >> JVM level as well. >> > > You're saying that Oracle is disabling RSA+SHA1 by default? That is the > effect of the change I cited, and if true is astounding. > Take a look at the JVM security setting some time. [jdk-8u25]$ grep disabled jre/lib/security/java.security | grep -v "^#" jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 [jdk-8u45]$ grep disabled jre/lib/security/java.security | grep -v "^#" jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 jdk.tls.disabledAlgorithms=SSLv3 [jdk-8u72]$ grep disabled jre/lib/security/java.security | grep -v "^#" jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 They have a history now of following the general advice from browser vendors and various CVEs. If one (or both) disable a set of ciphers, then they also disable it in the JVM. The entries for SHA-0 and SHA-1 blocks are coming. > > >> We have chosen to be release as secure of a product as we can. >> > > I respect that and said as much in my first note. While I personally > disagree with the balance of security and compatibility introduced by the > change, it's a defensible choice. That said, it's only fair to announce > such dramatic changes clearly and broadly. The commit message is clear > enough, but says nothing about the security impact, which is what matters > most to deployers. Text like the following should be in the changelog or > release announcement: > > Jetty 9.3.7 disables RSA+MD5 and RSA+SHA1 ciphers by default. > > I subscribe to jetty-announce, and I'm pretty sure a clear statement like > that would have caught my attention. Looking through past mail, I see I > missed a related discussion on this topic from Jan 20 where you clearly > communicated the change to cipher suites. My bad. In any case it belongs in > either changelog or release notes. > See your jetty-distribution-9.3.7.v20160115/VERSION.txt or the http://central.maven.org/maven2/org/eclipse/jetty/jetty-project/9.3.7.v20160115/jetty-project-9.3.7.v20160115-version.txt or the https://github.com/eclipse/jetty.project/blob/jetty-9.3.7.v20160115/VERSION.txt#L4 - Joakim Erdfelt
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
