Hi, On Wed, Mar 16, 2016 at 3:46 PM, Marvin Addison <[email protected]> wrote: > I'm troubled by the following commit: > > https://github.com/eclipse/jetty.project/commit/0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb > > That prevents the following cipher suites _by default_ required for TLS1 > interoperability according to NIST [1]: > SSL_RSA_WITH_3DES_EDE_CBC_SHA > TLS_RSA_WITH_AES_128_CBC_SHA > > In our testing, this effectively requires clients to negotiate TLS 1.2 > connections, which is simply impractical. While our strict set of cipher > suites may be contributing to this behavior, it's a pretty dramatic change > in defaults for a patch release (9.3.6-9.3.7). I appreciate your desire to > ship secure defaults, but I think this may go too far. Of course it's an > easy fix to explicitly configure all SSL protocol settings explicitly, but I > burnt several hours tracking down what to override. I encourage you to > reconsider.
Well, on the other hand, exactly because of this change you became aware of security vulnerabilities that you may have missed :) It is always a tough call; given that "minor" Jetty releases (e.g. 9.3 -> 9.4) may take several months, it may not be considered sensible that we delay safer defaults for such a long time. If you have an idea on how to handle this better, providing prompt safer defaults without breaking apps, we are all ears. Thanks ! -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts. _______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
