https://bz.apache.org/bugzilla/show_bug.cgi?id=64409
Bug ID: 64409
Summary: Usage of TLS is insecure
Product: Tomcat 9
Version: 9.0.x
Hardware: PC
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: mdmahiras...@vt.edu
Target Milestone: -----
Vulnerability Description: In
“java/org/apache/catalina/tribes/membership/cloud/TokenStreamProvider.java”
file the following code was written in TokenStreamProvider(String token, String
caCertFile) throws Exception method -
SSLContext context = SSLContext.getInstance("TLS");
The vulnerability is, using "TLS” as the argument to SSLContext.getInstance
method.
Reason it’s vulnerable: TLS 1.0 is vulnerable to man-in-the-middle attacks. For
further reference:
https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php
Suggested Fix: Using SSLContext.getInstance("TLSv1.3").
Feedback: Please select any of the options down below to help us get an idea
about how you felt about the suggestion -
1. Liked it and will make the suggested changes
2. Liked it but happy with the existing version
3. Didn’t find the suggestion helpful
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
