activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Timothy Bish (Commented) (JIRA)" <>
Subject [jira] [Commented] (AMQ-3508) SSL and TLS - Support list of included and excluded protocols
Date Fri, 07 Oct 2011 22:37:30 GMT


Timothy Bish commented on AMQ-3508:

It appears that the 7.5.2 API breaks the activemq-optional code pretty good, will need some
work to upgrade to the newer API.
> SSL and TLS - Support list of included and excluded protocols 
> --------------------------------------------------------------
>                 Key: AMQ-3508
>                 URL:
>             Project: ActiveMQ
>          Issue Type: Improvement
>          Components: Connector, Transport
>    Affects Versions: 5.6.0
>         Environment: JDK7, RHEL5
>            Reporter: Fengming Lou
>             Fix For: 5.6.0
> On September 19, 2011 an exploit of a vulnerability in SSL 3.0 and TLS
> 1.0 (and below) was demonstrated that allows an attacker to decrypt
> communications between 2 parties.  The demonstration was against a
> PayPal Authentication cookie, which took 10 minutes to decipher with
> the aid of a packet sniffer and some hostile javascript running in the
> browser.
> While TLS 1.1 and 1.2 are not vulnerable, these versions are not yet
> commonly available in browsers and JVMs.   Java 6 currently only
> supports TLS 1.0, while Java 7 supports TLS 1.1 and 1.2.  It has not
> yet been announced if a TLS 1.1 provider will be made available for
> Java 6. As of recently, the browser support for TLS can be seen at
> Google Chrome has already announced imminent support for 1.2 and it
> is expected that the other browsers will follow shortly (see
> Jetty when used with it's default configuration of SSL will use the
> highest common version of TLS available that is shared by the browsers
> and JVM.  Thus if jetty is running on java 7 today, it will
> automatically use TLS 1.1 or 1.2 if it is available in the browser.
> However there is currently no mechanism to disable protocol versions
> within Jetty (unless they are disabled in the JVM).
> Jetty-7.5.2-SNAPSHOT has now been modified to support lists of
> included and excluded protocols in the configuration of the
> SslContextFactory class used to configure SSL clients and server
> connectors.  This will allow TLS 1.0 to be excluded once clients that
> support it are widely deployed. A stable release of 7.5.2 will be
> available next week.
> We strongly recommend that you  upgrade your systems (browser and
> JVMs) to support TLS 1.1 or later.  For Jetty servers, this currently
> means running on java 7.  Until TLS 1.1 is widely available in
> browsers, it is recommended that you evaluate the risks of continuing
> to provide your services over SSL and TLS.
> regards
> _______________________________________________
> jetty-announce mailing list

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message