[jira] [Commented] (GERONIMO-6793) Do not auto-enable all available Cyphers in TLS/SSL protocol handling in MailConnection

Fredrik Jonson (Jira) Thu, 27 May 2021 10:49:07 -0700


    [ 
https://issues.apache.org/jira/browse/GERONIMO-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17352668#comment-17352668
 ]


Fredrik Jonson commented on GERONIMO-6793:
------------------------------------------

The current geronimo-javamail implementation _already_ aligns with and relies 
on the jvm defaults today, only it is currently using all  the jvm's 
_supported_ ciphers instead of only its_enabled_ ciphers. So, surely 
geronimo-javamail _can continue to align_ with the jvm defaults, changing it 
only to use the set of _enabled_ jvm ciphers for tls sockets by default 
instead. That follows the principle of least surprise, and general knowledge of 
TLS configuration for the jvm.

And if someone for some reason do not want to use the same default enabled 
ciphers for their smtp client in geronimo-javamail as for their other jvm TLS 
socket clients, they will be able override it with the 
"mail.smtp.ssl.ciphersuites" property when that is implemented.

That would also be consistent with the proposed patch in GERONIMO-6792, which 
also uses the _jvm default protocols_ if nothing else is specified by javamail 
property mail.smtp.ssl.protocols.

BTW, in OpenJDK the jvm http client has a specific flag "https.cipherSuites" 
which affects only http clients. So if you have specific needs for http, you do 
not have to modify the general "jdk.tls.client.cipherSuites" which applies to 
all client TLS sockets.

> Do not auto-enable all available Cyphers in TLS/SSL protocol handling in 
> MailConnection
> ---------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-6793
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-6793
>             Project: Geronimo
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>          Components: mail
>            Reporter: Richard Zowalla
>            Priority: Major
>
> Check and discuss, if it is a good idea to enable all cyphers in TLS/SSL 
> protocol handling in MailConnection.java 
> Some cyphers are deprecated for good reasons and shouldn't be used.
> This enhancement might possibily include
>  * Allow users to specifiy cyphers via properties (custom factory is already 
> possible)
>  * If we have no user defined cyphers available, fallback to the JVMs default 
> cyphers.
>  
> This is a follow up issue raised from the discussion on the dev mailing list, 
> see 
> http://mail-archives.apache.org/mod_mbox/geronimo-dev/202012.mbox/%3C096fbb867eda8e090eddf80fbd81cf787ac87945.camel%40hs-heilbronn.de%3E



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (GERONIMO-6793) Do not auto-enable all available Cyphers in TLS/SSL protocol handling in MailConnection

Reply via email to