[
https://issues.apache.org/jira/browse/GERONIMO-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17354555#comment-17354555
]
Richard Zowalla edited comment on GERONIMO-6793 at 5/31/21, 4:54 PM:
---------------------------------------------------------------------
I agree, that tuning ciphers is a very special case and requires a lot of
(background) knowledge to find a concise and working solution / list of
ciphers. Even, if you are managing self-hosted mail infrastructure, every small
cipher change can break multiple clients (we experienced it in the past ...).
So the non-breaking way would probably be
# Allow to override the default via _mail.protocol.xx.mail.ciphersuites_ (and
leave the current default as is)
# Provide appropriate logging (show which ciphers are used) - maybe also give
a hint, that all supported ciphers are used, if the property is not set
# Update the README.txt to document the new behaviour and give some hints on
how to determine the list of supported ciphers of a mail server
Personally, I can live with both ways as long as I can specify the ciphers
easily ... ;)
was (Author: rzo1):
I agree, that tuning ciphers is a very special case and requires a lot of
(background) knowledge to find a concise and working solution / list of
ciphers. Even, if you are managing self-hosted mail infrastructure, every small
cipher change can break multiple clients (we experienced it in the past ...).
So the non-breaking way would probably be
# Allow to override the default via _mail.protocol.smtp.mail.ciphersuites_
(and leave the current default as is)
# Provide appropriate logging (show which ciphers are used) - maybe also give
a hint, that all supported ciphers are used, if the property is not set
# Update the README.txt to document the new behaviour and give some hints on
how to determine the list of supported ciphers of a mail server
Personally, I can live with both ways as long as I can specify the ciphers
easily ... ;)
> Do not auto-enable all available Cyphers in TLS/SSL protocol handling in
> MailConnection
> ---------------------------------------------------------------------------------------
>
> Key: GERONIMO-6793
> URL: https://issues.apache.org/jira/browse/GERONIMO-6793
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: mail
> Reporter: Richard Zowalla
> Priority: Major
>
> Check and discuss, if it is a good idea to enable all cyphers in TLS/SSL
> protocol handling in MailConnection.java
> Some cyphers are deprecated for good reasons and shouldn't be used.
> This enhancement might possibily include
> * Allow users to specifiy cyphers via properties (custom factory is already
> possible)
> * If we have no user defined cyphers available, fallback to the JVMs default
> cyphers.
>
> This is a follow up issue raised from the discussion on the dev mailing list,
> see
> http://mail-archives.apache.org/mod_mbox/geronimo-dev/202012.mbox/%3C096fbb867eda8e090eddf80fbd81cf787ac87945.camel%40hs-heilbronn.de%3E
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
