[jira] [Commented] (QPIDJMS-38) updates to SSL/TLS configuration and/or handling
[ https://issues.apache.org/jira/browse/QPIDJMS-38?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14502706#comment-14502706 ] ASF subversion and git services commented on QPIDJMS-38: Commit 2a5f89a1c144c0734491c9264de08c08627e4033 in qpid-jms's branch refs/heads/master from Robert Gemmell [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=2a5f89a ] QPIDJMS-38: use enabled protocols as starting point in the tests, avoiding issues from on-the-fly SSLv3 disabling performed by newer JVMs updates to SSL/TLS configuration and/or handling Key: QPIDJMS-38 URL: https://issues.apache.org/jira/browse/QPIDJMS-38 Project: Qpid JMS Issue Type: Improvement Components: qpid-jms-client Reporter: Robbie Gemmell Assignee: Robbie Gemmell Fix For: 0.2.0 Some updates to our SSL/TLS configuration and/or handling: For 0.1.0 the docs said we dont set a default value for the 'enabledProtocols' transport option, relying on the JVM defaults if none were configured explicitly. however the code actually did have a default. One of those enabled was the SSLv2Hello pseudo protocol, which would make the older Hello format be used even for TLS connections, even though this behaviour is now disabled by default for client connections since Java 7. The code will be updated to remove the transport configuration default and let it do what the docs said by using the defaults given when creating the SSLEngine from the SSLContext. This will mean that any newer protocols will be useable as they become available and that we wont explicitly enable protocols by default that might become disabled for security reasons (e.g like SSLv3 has been disabled in many JVMs now). The transport code will be updated to explicitly diasable SSLv2Hello and SSLv3 rather than relying on them not being configured as enabled. The SSLContext instance is created using a hard coded protocol option of TLS currently. This should be configurable to allow users to choose the value most appropriate to their needs/JVM. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPIDJMS-38) updates to SSL/TLS configuration and/or handling
[ https://issues.apache.org/jira/browse/QPIDJMS-38?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14496207#comment-14496207 ] ASF subversion and git services commented on QPIDJMS-38: Commit cf732f90138186a8486bfb4df47880724cfc527d in qpid-jms's branch refs/heads/master from Robert Gemmell [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=cf732f9 ] QPIDJMS-39: Add some initial tests to ensure the config options are wired up. Need more to ensure the options take effect. Also catches and fixes a defect in changes for QPIDJMS-38. updates to SSL/TLS configuration and/or handling Key: QPIDJMS-38 URL: https://issues.apache.org/jira/browse/QPIDJMS-38 Project: Qpid JMS Issue Type: Improvement Components: qpid-jms-client Reporter: Robbie Gemmell Assignee: Robbie Gemmell Fix For: 0.2.0 Some updates to our SSL/TLS configuration and/or handling: For 0.1.0 the docs said we dont set a default value for the 'enabledProtocols' transport option, relying on the JVM defaults if none were configured explicitly. however the code actually did have a default. One of those enabled was the SSLv2Hello pseudo protocol, which would make the older Hello format be used even for TLS connections, even though this behaviour is now disabled by default for client connections since Java 7. The code will be updated to remove the transport configuration default and let it do what the docs said by using the defaults given when creating the SSLEngine from the SSLContext. This will mean that any newer protocols will be useable as they become available and that we wont explicitly enable protocols by default that might become disabled for security reasons (e.g like SSLv3 has been disabled in many JVMs now). The transport code will be updated to explicitly diasable SSLv2Hello and SSLv3 rather than relying on them not being configured as enabled. The SSLContext instance is created using a hard coded protocol option of TLS currently. This should be configurable to allow users to choose the value most appropriate to their needs/JVM. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPIDJMS-38) updates to SSL/TLS configuration and/or handling
[ https://issues.apache.org/jira/browse/QPIDJMS-38?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14492652#comment-14492652 ] ASF subversion and git services commented on QPIDJMS-38: Commit d78d4dc06a7dc98f644b21c8c6f1f0f0562884bf in qpid-jms's branch refs/heads/master from Robert Gemmell [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=d78d4dc ] QPIDJMS-38: update configuration docs to include the trasnport.disabledProtocols option explicitly updates to SSL/TLS configuration and/or handling Key: QPIDJMS-38 URL: https://issues.apache.org/jira/browse/QPIDJMS-38 Project: Qpid JMS Issue Type: Improvement Components: qpid-jms-client Reporter: Robbie Gemmell Assignee: Robbie Gemmell Fix For: 0.2.0 Some updates to our SSL/TLS configuration and/or handling: For 0.1.0 the docs said we dont set a default value for the 'enabledProtocols' transport option, relying on the JVM defaults if none were configured explicitly. however the code actually did have a default. One of those enabled was the SSLv2Hello pseudo protocol, which would make the older Hello format be used even for TLS connections, even though this behaviour is now disabled by default for client connections since Java 7. The code will be updated to remove the transport configuration default and let it do what the docs said by using the defaults given when creating the SSLEngine from the SSLContext. This will mean that any newer protocols will be useable as they become available and that we wont explicitly enable protocols by default that might become disabled for security reasons (e.g like SSLv3 has been disabled in many JVMs now). The transport code will be updated to explicitly diasable SSLv2Hello and SSLv3 rather than relying on them not being configured as enabled. The SSLContext instance is created using a hard coded protocol option of TLS currently. This should be configurable to allow users to choose the value most appropriate to their needs/JVM. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPIDJMS-38) updates to SSL/TLS configuration and/or handling
[ https://issues.apache.org/jira/browse/QPIDJMS-38?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14491601#comment-14491601 ] JAkub Scholz commented on QPIDJMS-38: - Is it intentional that the transport.disabledProtocols option doesn't seem to be mentioned in the documentation? updates to SSL/TLS configuration and/or handling Key: QPIDJMS-38 URL: https://issues.apache.org/jira/browse/QPIDJMS-38 Project: Qpid JMS Issue Type: Improvement Components: qpid-jms-client Reporter: Robbie Gemmell Assignee: Robbie Gemmell Fix For: 0.2.0 Some updates to our SSL/TLS configuration and/or handling: For 0.1.0 the docs said we dont set a default value for the 'enabledProtocols' transport option, relying on the JVM defaults if none were configured explicitly. however the code actually did have a default. One of those enabled was the SSLv2Hello pseudo protocol, which would make the older Hello format be used even for TLS connections, even though this behaviour is now disabled by default for client connections since Java 7. The code will be updated to remove the transport configuration default and let it do what the docs said by using the defaults given when creating the SSLEngine from the SSLContext. This will mean that any newer protocols will be useable as they become available and that we wont explicitly enable protocols by default that might become disabled for security reasons (e.g like SSLv3 has been disabled in many JVMs now). The transport code will be updated to explicitly diasable SSLv2Hello and SSLv3 rather than relying on them not being configured as enabled. The SSLContext instance is created using a hard coded protocol option of TLS currently. This should be configurable to allow users to choose the value most appropriate to their needs/JVM. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org