Mark,
On 4/29/22 18:17, Mark Thomas wrote:
On 29/04/2022 19:41, Christopher Schultz wrote:
<snip/>
1. The underlying JVM is affected
2. A Connector is defined with uses mutual TLS
3. The client's key is ECDSA
<snip/>
I was thinking that on startup, we could check for a vulnerable
environment and simply refuse to start the server.
If there are no objections, I was thinking of putting this into the
SecurityListener. I assume that all the necessary information is
available to a LifecycleListener such as being able to enumerate the
Connectors to check on items #2 and #3 above?
My understanding is that a CA with an RSA key can sign a client cert
with an ECDSA key. In that scenario, if the Tomcat system has been
configured with just the CA's trusted cert (a likely scenario since you
don't want to have to updated the trusted certs every time you add a
user) then test #3 won't work.
Yup. I'm thinking that #1 and #2 should be the only things we consider.
I'm wondering if we want to introduce a Java version equivalent of the
checks we have for Tomcat Native version. i.e. for each major Java
version, have a minimum required version where Tomcat won't start if
used and a recommended version where Tomcat starts with a warning.
In this case, where there is a clear and present danger, I would
advocate for going beyond just a warning.
One of the arguments against adding checks like these is that they only
work if folks update Tomcat. If folks are updating Tomcat regularly then
they are likely updating the JRE too. So I wonder what the return on the
investment is.
Honestly, this is going to take less time to code that discuss, and I
think it may help some people. That's why I was asking on dev@ to see if
any non-committers had any thoughts.
The response so far has been lukewarm, so maybe it's not really worth it.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
