You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/01/19 14:32:30 UTC
[Bug 57464] New: Please support for TLS Fallback SCSV
https://issues.apache.org/bugzilla/show_bug.cgi?id=57464
Bug ID: 57464
Summary: Please support for TLS Fallback SCSV
Product: Tomcat 7
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: hauser@acm.org
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv
https://www.ssllabs.com/ssltest/analyze.html?d=issues.apache.org complains
about
"Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported (more
info)", but Mark expressed reluctance to do so as per
http://mail-archives.apache.org/mod_mbox/tomcat-users/201412.mbox/%3C547ED9DD.2090305@apache.org%3E
On the other hand - it wouldn't really hurt to support it?
Or is ssllabs with its warning "off the map"?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57464] Please support for TLS Fallback SCSV
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57464
--- Comment #3 from Konstantin Kolinko <kn...@gmail.com> ---
Am OpenJDK patch and test case:
Disclaimer: just one of first results found via googling. I do not know the
full story here.
https://fweimer.fedorapeople.org/openjdk/tls-fallback-scsv/jdk.patch
That is an OpenJDK patch. I do not know whether it has been applied to Oracle
Java. In any case, the patch is dated 2014-10-20 and the current versions of
Oracle Java (8u25, 7u72) were released a week earlier on 2014-10-14, so they
cannot contain it.
Usually a security update on Java (and other Oracle products) comes out in
January, but one has not been released yet.
Links to early access builds of Java have been mentioned on Tomcat dev list.
Maybe somebody likes to test those.
http://mail-archives.apache.org/mod_mbox/tomcat-dev/201501.mbox/%3C54B90DB1.7050801%40oracle.com%3E
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57464] Please support for TLS Fallback SCSV
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57464
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> ---
As far as I am reading this, the check for presence of TLS_FALLBACK_SCSV
cipher in cipher list provided by client should happen during protocol & cipher
negotiation in TLS/SSL library.
That happens outside of Tomcat control. If the feature is implemented in the
underlying libraries (Java JSSE, OpenSSL) then I think it will be available
automatically, if they would have it "on" by default.
At most Tomcat could provide options to control turning the feature off/on, if
such options are provided by the underlying libraries.
Looking at OpenSSL changelog, this feature is available since 1.0.1j. As far as
I understand, it is "on" by default, and I have not heard of a way to turn it
off.
The following blog post says how to test it:
https://dwradcliffe.com/2014/10/16/testing-tls-fallback.html
To clarify: TLS_FALLBACK_SCSV is a generic mechanism to protect from protocol
downgrades. For example it can protect from a TLS 1.2 -> TLS 1.1 downgrade
caused a MITM / unreliable network.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57464] Please support for TLS Fallback SCSV
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57464
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |enhancement
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
This can't be supported for BIO or NIO since Java does not support it.
I assume it could be supported for APR/native but:
a) I haven't looked into it
b) I still don't see the point in expending effort on a feature that is only
required by very old clients that are themselves unsupported
That said, I'm not going to stand in anyone's way if they want to implement it
(unless the patch is very large and/or invasive).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org