[Bug 57464] Please support for TLS Fallback SCSV
https://bz.apache.org/bugzilla/show_bug.cgi?id=57464 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEEDINFO|RESOLVED Resolution|--- |INVALID --- Comment #4 from Mark Thomas ma...@apache.org --- There is nothing for Tomcat to do here. Server side support will be enabled by default when/if it is made available in JSSE. At the time of writing, it wasn't available. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57464] Please support for TLS Fallback SCSV
https://issues.apache.org/bugzilla/show_bug.cgi?id=57464 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #2 from Konstantin Kolinko knst.koli...@gmail.com --- As far as I am reading this, the check for presence of TLS_FALLBACK_SCSV cipher in cipher list provided by client should happen during protocol cipher negotiation in TLS/SSL library. That happens outside of Tomcat control. If the feature is implemented in the underlying libraries (Java JSSE, OpenSSL) then I think it will be available automatically, if they would have it on by default. At most Tomcat could provide options to control turning the feature off/on, if such options are provided by the underlying libraries. Looking at OpenSSL changelog, this feature is available since 1.0.1j. As far as I understand, it is on by default, and I have not heard of a way to turn it off. The following blog post says how to test it: https://dwradcliffe.com/2014/10/16/testing-tls-fallback.html To clarify: TLS_FALLBACK_SCSV is a generic mechanism to protect from protocol downgrades. For example it can protect from a TLS 1.2 - TLS 1.1 downgrade caused a MITM / unreliable network. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57464] Please support for TLS Fallback SCSV
https://issues.apache.org/bugzilla/show_bug.cgi?id=57464 --- Comment #3 from Konstantin Kolinko knst.koli...@gmail.com --- Am OpenJDK patch and test case: Disclaimer: just one of first results found via googling. I do not know the full story here. https://fweimer.fedorapeople.org/openjdk/tls-fallback-scsv/jdk.patch That is an OpenJDK patch. I do not know whether it has been applied to Oracle Java. In any case, the patch is dated 2014-10-20 and the current versions of Oracle Java (8u25, 7u72) were released a week earlier on 2014-10-14, so they cannot contain it. Usually a security update on Java (and other Oracle products) comes out in January, but one has not been released yet. Links to early access builds of Java have been mentioned on Tomcat dev list. Maybe somebody likes to test those. http://mail-archives.apache.org/mod_mbox/tomcat-dev/201501.mbox/%3C54B90DB1.7050801%40oracle.com%3E -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57464] Please support for TLS Fallback SCSV
https://issues.apache.org/bugzilla/show_bug.cgi?id=57464 Mark Thomas ma...@apache.org changed: What|Removed |Added Severity|normal |enhancement --- Comment #1 from Mark Thomas ma...@apache.org --- This can't be supported for BIO or NIO since Java does not support it. I assume it could be supported for APR/native but: a) I haven't looked into it b) I still don't see the point in expending effort on a feature that is only required by very old clients that are themselves unsupported That said, I'm not going to stand in anyone's way if they want to implement it (unless the patch is very large and/or invasive). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
