Hi Openj9 is not affected I think so version wouldnt be enough, jvm name should be tested too.
Le sam. 30 avr. 2022 à 00:18, Mark Thomas <ma...@apache.org> a écrit : > On 29/04/2022 19:41, Christopher Schultz wrote: > > <snip/> > > > 1. The underlying JVM is affected > > 2. A Connector is defined with uses mutual TLS > > 3. The client's key is ECDSA > > <snip/> > > > I was thinking that on startup, we could check for a vulnerable > > environment and simply refuse to start the server. > > > > If there are no objections, I was thinking of putting this into the > > SecurityListener. I assume that all the necessary information is > > available to a LifecycleListener such as being able to enumerate the > > Connectors to check on items #2 and #3 above? > > My understanding is that a CA with an RSA key can sign a client cert > with an ECDSA key. In that scenario, if the Tomcat system has been > configured with just the CA's trusted cert (a likely scenario since you > don't want to have to updated the trusted certs every time you add a > user) then test #3 won't work. > > I'm wondering if we want to introduce a Java version equivalent of the > checks we have for Tomcat Native version. i.e. for each major Java > version, have a minimum required version where Tomcat won't start if > used and a recommended version where Tomcat starts with a warning. > > One of the arguments against adding checks like these is that they only > work if folks update Tomcat. If folks are updating Tomcat regularly then > they are likely updating the JRE too. So I wonder what the return on the > investment is. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
