Also note that these SSL/TLS restrictions are being implemented at the JVM level as well.
You're saying that Oracle is disabling RSA+SHA1 by default? That is the effect of the change I cited, and if true is astounding.
We have chosen to be release as secure of a product as we can.
I respect that and said as much in my first note. While I personally disagree with the balance of security and compatibility introduced by the change, it's a defensible choice. That said, it's only fair to announce such dramatic changes clearly and broadly. The commit message is clear enough, but says nothing about the security impact, which is what matters most to deployers. Text like the following should be in the changelog or release announcement:
Jetty 9.3.7 disables RSA+MD5 and RSA+SHA1 ciphers by default.
I subscribe to jetty-announce, and I'm pretty sure a clear statement like that would have caught my attention. Looking through past mail, I see I missed a related discussion on this topic from Jan 20 where you clearly communicated the change to cipher suites. My bad. In any case it belongs in either changelog or release notes.
Best,
Marvin
