[Bug 58891] Bad and/or dangerous SSL/TLS documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=58891 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Mark Thomas --- Thanks for the suggestion. I haven't used the patch as is but I have updated the SSL how-to based on this suggestion and the subsequent discussion. The changes will be in: - 9.0.0.M7 onwards - 8.5.3 onwards - 8.0.36 onwards - 7.0.70 onwards - 6.0.46 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 58891] Bad and/or dangerous SSL/TLS documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=58891 --- Comment #4 from Remy Maucherat --- Generally, I would like to keep the SSL page as a quick start, focusing on people being able to test SSL with Tomcat as easily as possible. BTW, the session cookie should be marked secure and shouldn't be leaked (assuming it is created by auth, and if it is not, the auth is supposed to renew it). The main thing I'd agree on is remove the segment on hosts, since now it is implemented. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 58891] Bad and/or dangerous SSL/TLS documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=58891 --- Comment #3 from Christopher Schultz --- I like the idea, I don't like your re-write as it stands. A certificate, for instance, does not guarantee security of a site. The site can be full of malware designed to attack you and still have a certificate. The certificate is a part of common-deployments of TLS, and allows for the authentication of a web site (via a third party certificate authority) and the beginning of the negotiation of encryption keys for a session. Perhaps what we should say is this: TLS is complex! Go read all about it [provide links] and then come back here for the configuration details. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 58891] Bad and/or dangerous SSL/TLS documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=58891 --- Comment #2 from Alexander Kjäll --- Hi I agree that SSL is complex, and I don't think it's within the scope of the tomcat documentation to address all aspects of it, it can be very lengthy to describe how different attack vectors works for example. I feel that a good condensed version could be to give advise that doesn't expose users to security vulnerabilities. But the SSL "landscape" have change significantly since the original text was written and my personal opinion is that the text needs to be a bit updated so that it reflect how the world works today. Maybe we can break down the changes that I feel are important from a security perspective and talk about them point by point, I'm of course willing to rewrite the patch again to incorporate your feedback. 1) About self signed certs: This is pretty important, as the original text portrays scenarios where end users are presented with self signed certs. A self signed cert should never be presented to end users as this doesn't offer any protection against an attacker that does a man-in-the-middle attack. There is also no real reason to not get your certificate signed by a real CA now that Lets encrypt offers SSL/TLS certificates that are both free and automatable. 2) Mixing SSL and non-SSL pages. This advise is also important to remove, if people do SSL like this it's trivial to steal session cookies. With todays hardware it's also not that computable expensive to make sure all content is distributed over a secure channel. I feel that it adds value to say something about not mixing SSL/non-SSL content, but that could maybe be removed. 3) Information about HSTS. This isn't that important, it's more of a nice to have. 4) SNI information. This section could maybe be phrased differently? Maybe say something about the SSL limitation to one certificate per IP not being that important now that people use IPv6? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 58891] Bad and/or dangerous SSL/TLS documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=58891 --- Comment #1 from Remy Maucherat --- IMO this howto is a quick start with running the SSL connectors and testing them, intended for developers. SSL is complex ! It could a good idea to add some "production" SSL information in addition to that though, but I wouldn't replace the existing content. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
