Re: [jetty-users] Questioning Fix for 485714

Wed, 06 Apr 2016 08:17:55 -0700 

Hello all,

How can I change the default behavior changed in this fix in embedded Jetty?
I am running version 9.3.8.v20160314 now and as a result of the upgrade from 9.3.7.v20160115 lost a large percentage of supported browsers/clients (among which android 4.0-4.3, IE8-10 on Win7, Java7 and Safari6.0.4). Perhaps I am offering a too limited set of ciphers? This was not the case with previous version. 

I prefer running the latest Jetty but this is a bit too much for me.

Cheers,

Silvio


On 03/17/2016 02:24 PM, Marvin Addison wrote:
On Wed, Mar 16, 2016 at 1:43 PM Joakim Erdfelt <[email protected] <mailto:[email protected]>> wrote: 

    Take a look at the JVM security setting some time.
I know that file well enough to know off the top of my head that SHA1 is not disabled in the fairly recent JDK 1.8 I'm using. I was curious to know whether they had dropped it since January without my noticing. 

    The entries for SHA-0 and SHA-1 blocks are coming.
So it's not disabled by default at present, thus the Jetty project is taking a considerably more conservative approach than the latest JVM right now. That's fine, just needs to be clearly communicated. Additionally, Oracle has a good track record of communicating cipher/strength changes in release notes. The DH key size was a recent change that was communicated clearly and prominently. 

    See your jetty-distribution-9.3.7.v20160115/VERSION.txt


+ 485714 Update SSL configuration to mitigate SLOTH vulnerability
Says nothing about the security impact of the change, which is the point I'm' trying to make. It should say the following: 

Disables RSA+MD5 and RSA+SHA1 ciphers by default.
That's a fair criticism, and I hope you'll take it and improve communication in the release announcement and/or changelog in the future. 

M



_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Reply via email to