The fact that the HTTP/2 spec mandates a ECC cipher suite ... http://tools.ietf.org/html/rfc7540#section-9.2.2
The black list includes the cipher suite that TLS 1.2 makes mandatory, which means that TLS 1.2 deployments could have non- intersecting sets of permitted cipher suites. To avoid this problem causing TLS handshake failures, deployments of HTTP/2 that use TLS 1.2 MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [TLS-ECDHE] with the P-256 elliptic curve [FIPS186]. ... means that the CentOS / RedHat Java VM is spec incompatible. Add to that the ever increasing list of disabled ciphers suites (by the industry), you are soon left with no ciphers that you can communicate with other systems on the internet in a general sense. When TLS 1.3 hits, things will get nasty even faster (as they are introducing Cipher blacklists) Joakim Erdfelt / [email protected] On Thu, Apr 28, 2016 at 12:02 PM, martijn.list <[email protected]> wrote: > On 04/28/2016 08:32 PM, Jesse McConnell wrote: > > > > Part of the push to get Jetty 9.4 out the door will be also to retire > > open source support for Jetty 9.2.x which should be effective in May > 2016. > > > > A year ago this month (April) Oracle put the brakes on general public > > support for Java 7. That roughly corresponds to when we pushed Jetty > > 9.3.x which was the first version of Jetty to require Java 8. > > > > Picking up another release branch of Jetty and the looming addition of > > yet another for experimental features and the forthcoming Servlet 4.0 > > support with Jetty 10 means something has to give. Moving forward Jetty > > 9.2.x will not be getting any tangible support from the Jetty developers > > on the open source side of things. We will continue to support it for > > clients through our professional services and support company Webtide, > > and if that support triggers a release then that release will of course > > be made available to the community at large. We started this program > > with Jetty 6 and it seems to have served us and the community well for > > both Jetty 7 and Jetty 8. > > > > If you have any questions about this please chime in! > > Unfortunately OpenJDK 8 on CentOS/RedHat has some open issues with EC > support for TLS (https://bugs.centos.org/view.php?id=9482). These issues > makes it impossible to use strong ciphers with Jetty when running under > OpenJDK 8. > > Because OpenJDK 6 and 7 are still supported by RedHat, wouldn't it be a > good idea to keep supporting 9.2 only for bug fixes? > > Kind regards, > > Martijn Brinkers > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
