You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2015/04/10 18:02:12 UTC

[jira] [Commented] (QPIDJMS-38) updates to SSL/TLS configuration and/or handling

    [ https://issues.apache.org/jira/browse/QPIDJMS-38?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14489852#comment-14489852 ] 

ASF subversion and git services commented on QPIDJMS-38:
--------------------------------------------------------

Commit 35bf0a2897e538a6cdb1f7d9185dc3e03118ee8a in qpid-jms's branch refs/heads/master from Robert Gemmell
[ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=35bf0a2 ]

QPIDJMS-38: share implementation to ensure behaviours remain aligned later


> updates to SSL/TLS configuration and/or handling
> ------------------------------------------------
>
>                 Key: QPIDJMS-38
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-38
>             Project: Qpid JMS
>          Issue Type: Improvement
>          Components: qpid-jms-client
>            Reporter: Robbie Gemmell
>            Assignee: Robbie Gemmell
>             Fix For: 0.2.0
>
>
> Some updates to our SSL/TLS configuration and/or handling:
> For 0.1.0 the docs said we dont set a default value for the 'enabledProtocols' transport option, relying on the JVM defaults if none were configured explicitly. however the code actually did have a default. One of those enabled was the SSLv2Hello pseudo protocol, which would make the older Hello format be used even for TLS connections, even though this behaviour is now disabled by default for client connections since Java 7. The code will be updated to remove the transport configuration default and let it do what the docs said by using the defaults given when creating the SSLEngine from the SSLContext. This will mean that any newer protocols will be useable as they become available and that we wont explicitly enable protocols by default that might become disabled for security reasons (e.g like SSLv3 has been disabled in many JVMs now). The transport code will be updated to explicitly diasable SSLv2Hello and SSLv3 rather than relying on them not being configured as enabled.
> The SSLContext instance is created using a hard coded protocol option of "TLS" currently. This should be configurable to allow users to choose the value most appropriate to their needs/JVM.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org