Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Jetty 9.2 EOL

The fact that the HTTP/2 spec mandates a ECC cipher suite ...

http://tools.ietf.org/html/rfc7540#section-9.2.2

   The black list includes the cipher suite that TLS 1.2 makes
   mandatory, which means that TLS 1.2 deployments could have non-
   intersecting sets of permitted cipher suites.  To avoid this problem
   causing TLS handshake failures, deployments of HTTP/2 that use TLS
   1.2 MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [TLS-ECDHE]
   with the P-256 elliptic curve [FIPS186].

... means that the CentOS / RedHat Java VM is spec incompatible.

Add to that the ever increasing list of disabled ciphers suites (by the industry), you are soon left with no ciphers that you can communicate with other systems on the internet in a general sense.

When TLS 1.3 hits, things will get nasty even faster (as they are introducing Cipher blacklists)



Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Apr 28, 2016 at 12:02 PM, martijn.list <martijn.list@xxxxxxxxx> wrote:
On 04/28/2016 08:32 PM, Jesse McConnell wrote:
>
> Part of the push to get Jetty 9.4 out the door will be also to retire
> open source support for Jetty 9.2.x which should be effective in May 2016.
>
> A year ago this month (April) Oracle put the brakes on general public
> support for Java 7.  That roughly corresponds to when we pushed Jetty
> 9.3.x which was the first version of Jetty to require Java 8.
>
> Picking up another release branch of Jetty and the looming addition of
> yet another for experimental features and the forthcoming Servlet 4.0
> support with Jetty 10 means something has to give.  Moving forward Jetty
> 9.2.x will not be getting any tangible support from the Jetty developers
> on the open source side of things.  We will continue to support it for
> clients through our professional services and support company Webtide,
> and if that support triggers a release then that release will of course
> be made available to the community at large.  We started this program
> with Jetty 6 and it seems to have  served us and the community well for
> both Jetty 7 and Jetty 8.
>
> If you have any questions about this please chime in!

Unfortunately OpenJDK 8 on CentOS/RedHat has some open issues with EC
support for TLS (https://bugs.centos.org/view.php?id=9482). These issues
makes it impossible to use strong ciphers with Jetty when running under
OpenJDK 8.

Because OpenJDK 6 and 7 are still supported by RedHat, wouldn't it be a
good idea to keep supporting 9.2 only for bug fixes?

Kind regards,

Martijn Brinkers


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


Back to the top