On Wed, Mar 16, 2016 at 1:43 PM Joakim Erdfelt <[email protected]> wrote:
> Take a look at the JVM security setting some time. > I know that file well enough to know off the top of my head that SHA1 is not disabled in the fairly recent JDK 1.8 I'm using. I was curious to know whether they had dropped it since January without my noticing. The entries for SHA-0 and SHA-1 blocks are coming. > So it's not disabled by default at present, thus the Jetty project is taking a considerably more conservative approach than the latest JVM right now. That's fine, just needs to be clearly communicated. Additionally, Oracle has a good track record of communicating cipher/strength changes in release notes. The DH key size was a recent change that was communicated clearly and prominently. See your jetty-distribution-9.3.7.v20160115/VERSION.txt > + 485714 Update SSL configuration to mitigate SLOTH vulnerability Says nothing about the security impact of the change, which is the point I'm' trying to make. It should say the following: Disables RSA+MD5 and RSA+SHA1 ciphers by default. That's a fair criticism, and I hope you'll take it and improve communication in the release announcement and/or changelog in the future. M
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
