You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Gary Tully (JIRA)" <ji...@apache.org> on 2011/09/22 18:43:26 UTC
[jira] [Updated] (AMQ-3508) SSL and TLS - Support list of included
and excluded protocols
[ https://issues.apache.org/jira/browse/AMQ-3508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Tully updated AMQ-3508:
----------------------------
Fix Version/s: 5.6.0
lets upgrade for 5.6
> SSL and TLS - Support list of included and excluded protocols
> --------------------------------------------------------------
>
> Key: AMQ-3508
> URL: https://issues.apache.org/jira/browse/AMQ-3508
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Connector, Transport
> Affects Versions: 5.6.0
> Environment: JDK7, RHEL5
> Reporter: Fengming Lou
> Fix For: 5.6.0
>
>
> On September 19, 2011 an exploit of a vulnerability in SSL 3.0 and TLS
> 1.0 (and below) was demonstrated that allows an attacker to decrypt
> communications between 2 parties. The demonstration was against a
> PayPal Authentication cookie, which took 10 minutes to decipher with
> the aid of a packet sniffer and some hostile javascript running in the
> browser.
> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
> While TLS 1.1 and 1.2 are not vulnerable, these versions are not yet
> commonly available in browsers and JVMs. Java 6 currently only
> supports TLS 1.0, while Java 7 supports TLS 1.1 and 1.2. It has not
> yet been announced if a TLS 1.1 provider will be made available for
> Java 6. As of recently, the browser support for TLS can be seen at
> http://en.wikipedia.org/wiki/Transport_Layer_Security#Browser_implementations.
> Google Chrome has already announced imminent support for 1.2 and it
> is expected that the other browsers will follow shortly (see
> http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/).
> Jetty when used with it's default configuration of SSL will use the
> highest common version of TLS available that is shared by the browsers
> and JVM. Thus if jetty is running on java 7 today, it will
> automatically use TLS 1.1 or 1.2 if it is available in the browser.
> However there is currently no mechanism to disable protocol versions
> within Jetty (unless they are disabled in the JVM).
> Jetty-7.5.2-SNAPSHOT has now been modified to support lists of
> included and excluded protocols in the configuration of the
> SslContextFactory class used to configure SSL clients and server
> connectors. This will allow TLS 1.0 to be excluded once clients that
> support it are widely deployed. A stable release of 7.5.2 will be
> available next week.
> We strongly recommend that you upgrade your systems (browser and
> JVMs) to support TLS 1.1 or later. For Jetty servers, this currently
> means running on java 7. Until TLS 1.1 is widely available in
> browsers, it is recommended that you evaluate the risks of continuing
> to provide your services over SSL and TLS.
> regards
> _______________________________________________
> jetty-announce mailing list
> jetty-announce@eclipse.org
> https://dev.eclipse.org/mailman/listinfo/jetty-announce
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira