[jetty-users] Questioning Fix for 485714

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] Questioning Fix for 485714

From: Marvin Addison <marvin.addison@xxxxxxxxx>
Date: Wed, 16 Mar 2016 14:46:22 +0000
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

I'm troubled by the following commit:

https://github.com/eclipse/jetty.project/commit/0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb

That prevents the following cipher suites _by default_ required for TLS1 interoperability according to NIST [1]:

SSL_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

In our testing, this effectively requires clients to negotiate TLS 1.2 connections, which is simply impractical. While our strict set of cipher suites may be contributing to this behavior, it's a pretty dramatic change in defaults for a patch release (9.3.6-9.3.7). I appreciate your desire to ship secure defaults, but I think this may go too far. Of course it's an easy fix to explicitly configure all SSL protocol settings explicitly, but I burnt several hours tracking down what to override. I encourage you to reconsider.

Thanks,

Marvin

[1] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf, section 3.3.1

Follow-Ups:
- Re: [jetty-users] Questioning Fix for 485714
  - From: Joakim Erdfelt
- Re: [jetty-users] Questioning Fix for 485714
  - From: Simone Bordet

Prev by Date: [jetty-users] java server pages
Next by Date: Re: [jetty-users] Questioning Fix for 485714
Previous by thread: [jetty-users] java server pages
Next by thread: Re: [jetty-users] Questioning Fix for 485714
Index(es):
- Date
- Thread

Breadcrumbs