On Wed, Mar 16, 2016 at 11:09 AM Simone Bordet <[email protected]> wrote:
> If you have an idea on how to handle this better, providing prompt
> safer defaults without breaking apps, we are all ears.
>
In this case, I think the following patch is a much better balance of
security and backward compatibility:
diff --git
a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
index 55877cd..eb966f8 100644
---
a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++
b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@@ -250,7 +250,7 @@ public class SslContextFactory extends AbstractLifeCycle
setTrustAll(trustAll);
addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
setExcludeCipherSuites(
- "^.*_RSA_.*_(MD5|SHA|SHA1)$",
+ "^.*_RSA_.*_MD5$",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
}
In most of the reports I've read, the attack of greatest concern is a MITM
forcing an MD5 signature algorithm, which my patch prevents. SHA1 is still
widely used and it really ought to be supported by default for the time
being.
Best,
Marvin
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
