https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Mark Thomas ma...@apache.org changed:
What|Removed |Added
Status|REOPENED|RESOLVED
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #43 from Ralf Hauser hau...@acm.org ---
I guess comment 30 ff. refers to
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 ?
--
You are receiving this mail because:
You are the assignee for the bug.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #44 from Christopher Schultz ch...@christopherschultz.net ---
(In reply to Ralf Hauser from comment #43)
I guess comment 30 ff. refers to
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 ?
Yes.
Patches are
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #45 from Mark Woon markw...@gmail.com ---
In reply to comment #43: yes.
I also agree with comment #33 - SSLv2 and SSLv3 should just be removed from the
options.
So glad to see that this is moving forward.
--
You are
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #42 from Christopher Schultz ch...@christopherschultz.net ---
Patch proposed for tc6:
http://people.apache.org/~schultz/patches/53952.tc6.patch
--
You are receiving this mail because:
You are the assignee for the bug.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Brett Randall javabr...@gmail.com changed:
What|Removed |Added
CC|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #35 from Mark Thomas ma...@apache.org ---
Agreed. I'll start looking at this today with a view to getting a release out
next week.
--
You are receiving this mail because:
You are the assignee for the bug.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #36 from Christopher Schultz ch...@christopherschultz.net ---
I'll do another review of the tcnative patch and apply as appropriate.
--
You are receiving this mail because:
You are the assignee for the bug.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #37 from Christopher Schultz ch...@christopherschultz.net ---
I'm looking at Marcel's attachment #30150 and the protocol selection is a bit
verbose though methodical.
It took a bit of thinking to understand why the code does
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Christopher Schultz ch...@christopherschultz.net changed:
What|Removed |Added
Attachment #32115|0
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Christopher Schultz ch...@christopherschultz.net changed:
What|Removed |Added
Attachment #32114|0
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #39 from Christopher Schultz ch...@christopherschultz.net ---
Fixed in tcnative-trunk in r1632593 and tcnative-1.1.x in r1632595. Will be in
tcnative 1.1.32.
--
You are receiving this mail because:
You are the assignee for the
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Christopher Schultz ch...@christopherschultz.net changed:
What|Removed |Added
Status|NEW
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Christopher Schultz ch...@christopherschultz.net changed:
What|Removed |Added
Status|RESOLVED
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #31 from jfclere jfcl...@gmail.com ---
Created attachment 32114
-- https://issues.apache.org/bugzilla/attachment.cgi?id=32114action=edit
patch for the issue.
The patch works for me.
Basically the SSL.java needs the new
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #32 from jfclere jfcl...@gmail.com ---
Created attachment 32115
-- https://issues.apache.org/bugzilla/attachment.cgi?id=32115action=edit
patch for tc-trunk.
--
You are receiving this mail because:
You are the assignee for
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
jfclere jfcl...@gmail.com changed:
What|Removed |Added
CC||jfcl...@gmail.com
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #33 from jeffrey.jan...@polydyne.com ---
I was looking at the code for the patch in Comment #32 and noticed that you
introduced a regression. SSLv2 was removed from the ALL list sometime back so
that the default was to not
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #34 from Christopher Schultz ch...@christopherschultz.net ---
(In reply to jfclere from comment #31)
Created attachment 32114 [details]
patch for the issue.
The patch works for me.
Basically the SSL.java needs the new
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Mark Woon markw...@gmail.com changed:
What|Removed |Added
CC||markw...@gmail.com
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Mark Hobden m...@mclgm.net changed:
What|Removed |Added
CC||m...@mclgm.net
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #29 from Christopher Schultz ch...@christopherschultz.net ---
(In reply to Mudassir Aftab from comment #27)
Comment on attachment 29433 [details]
patch for tomcat trunk that adds support for newer TLS versions
This patch is
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Mudassir Aftab withmudas...@gmail.com changed:
What|Removed |Added
CC|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #28 from Mudassir Aftab withmudas...@gmail.com ---
Comment on attachment 29433
-- https://issues.apache.org/bugzilla/attachment.cgi?id=29433
patch for tomcat trunk that adds support for newer TLS versions
HI,
This patch is
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Ralf Hauser hau...@acm.org changed:
What|Removed |Added
CC||hau...@acm.org
---
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #25 from Marcel Šebek sebe...@post.cz ---
(In reply to Christopher Schultz from comment #23)
I've taken another look at the (updated) patches. I'm confused by the
changes to sslcontext.c. It looks like there is no provision
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #23 from Christopher Schultz ch...@christopherschultz.net ---
I've taken another look at the (updated) patches. I'm confused by the changes
to sslcontext.c. It looks like there is no provision for combinations of
SSL/TLS
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #24 from Rainer Jung rainer.j...@kippdata.de ---
I suggest we try to stay compatible with the httpd notations:
http://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslprotocol
The code in tcnative that handles the protocol
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek sebe...@post.cz changed:
What|Removed |Added
Attachment #29459|0 |1
is
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #20 from Christopher Schultz ch...@christopherschultz.net ---
Given the comment in OpenSSL that SSL_OP_PKCS1_CHECK_{1,2} were never used, I
think it's reasonable to use the new symbolic names and remove the old ones.
Note that
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #21 from Marcel Šebek sebe...@post.cz ---
Actually, the comment came from OpenSSL. Here is part of 1.0.1e ssl.h:
/* These next two were never actually used for anything since SSLeay
* zap so we have some more flags.
*/
/* The
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #17 from Marcel Šebek sebe...@post.cz ---
The problem is following. OpenSSL 0.9.8y defines SSL_OP_PKCS1_CHECK_{1,2} as
0x0800L and 0x1000L while OpenSSL 1.0.1e uses the same values for
SSL_OP_NO_TLSv1_{1,2}, and defines
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #18 from Marcel Šebek sebe...@post.cz ---
Created attachment 30149
-- https://issues.apache.org/bugzilla/attachment.cgi?id=30149action=edit
patch dropping SSL_OP_PKCS* from supported_ssl_opts
--
You are receiving this mail
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek sebe...@post.cz changed:
What|Removed |Added
Attachment #30111|0 |1
is
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek sebe...@post.cz changed:
What|Removed |Added
Attachment #29458|0 |1
is
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek sebe...@post.cz changed:
What|Removed |Added
Attachment #29457|0 |1
is
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #15 from Marcel Šebek sebe...@post.cz ---
Created attachment 30112
-- https://issues.apache.org/bugzilla/attachment.cgi?id=30112action=edit
Patch for jboss-web
Just for the reference, here is the patch for jboss-web that I've
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #16 from Marcel Šebek sebe...@post.cz ---
Oops, there seems to be a problem with OpenSSL 0.9.8. Previously, I've tested
1.0.1e and that worked, but the older version seems to have problems with
default protocol set. I currently
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #13 from Christopher Schultz ch...@christopherschultz.net ---
Have you been testing your patch? Last I heard, you had only compile-tested
it...
If you have some additional evidence that it's working in a test rig, I'm happy
to
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #12 from Marcel Šebek sebe...@post.cz ---
Now when there is a known practical attack against RC4 in SSL, we have no
secure ciphersuite in TLS 1.0, and this issue has probably higher priority than
before. What is the reason for
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek sebe...@post.cz changed:
What|Removed |Added
Attachment #29434|0 |1
is
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek sebe...@post.cz changed:
What|Removed |Added
Attachment #29435|0 |1
is
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek sebe...@post.cz changed:
What|Removed |Added
Attachment #29433|0 |1
is
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #10 from Marcel Šebek sebe...@post.cz ---
I've forgot to mention that the patches are compile-tested only.
--
You are receiving this mail because:
You are the assignee for the bug.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #11 from Christopher Schultz ch...@christopherschultz.net ---
(In reply to comment #9)
In the tomcat part, I rely on the SSL.hasOp functionality to check whether
the tcnative library supports newer protocols.
Good thing
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #5 from Christopher Schultz ch...@christopherschultz.net ---
(In reply to comment #3)
This introduces a compile-time dependency on OpenSSL 1.0.1+.
Retracted: I have successfully built (but not tested) this patch against
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #6 from Christopher Schultz ch...@christopherschultz.net ---
I like this patch, but since security is involved, I think I'd like to see a
check in the Java code against the (likely) tcnative version that can support
TLSv1.1 and
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #1 from sebe...@post.cz ---
Created attachment 29434
-- https://issues.apache.org/bugzilla/attachment.cgi?id=29434action=edit
patch for tcnative trunk that adds support for newer TLS versions
--
You are receiving this mail
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #2 from sebe...@post.cz ---
Created attachment 29435
-- https://issues.apache.org/bugzilla/attachment.cgi?id=29435action=edit
patch for tcnative 1.1 branch
--
You are receiving this mail because:
You are the assignee for the
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
sebe...@post.cz changed:
What|Removed |Added
CC||sebe...@post.cz
--
You are
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #3 from Christopher Schultz ch...@christopherschultz.net ---
This introduces a compile-time dependency on OpenSSL 1.0.1+.
--
You are receiving this mail because:
You are the assignee for the bug.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #4 from sebe...@post.cz ---
This is not the case, because the parts of code which depend on the newer
library version are #ifdef'ed. Actually, the patches improve compatibility with
newer openssl versions, as the library may be
52 matches
Mail list logo