activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Timothy Bish (Resolved) (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (AMQ-3508) SSL and TLS - Support list of included and excluded protocols
Date Fri, 24 Feb 2012 21:40:05 GMT

     [ https://issues.apache.org/jira/browse/AMQ-3508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Timothy Bish resolved AMQ-3508.
-------------------------------

    Resolution: Fixed

Jetty is now at v7.6.1
                
> SSL and TLS - Support list of included and excluded protocols 
> --------------------------------------------------------------
>
>                 Key: AMQ-3508
>                 URL: https://issues.apache.org/jira/browse/AMQ-3508
>             Project: ActiveMQ
>          Issue Type: Improvement
>          Components: Connector, Transport
>    Affects Versions: 5.6.0
>         Environment: JDK7, RHEL5
>            Reporter: Fengming Lou
>            Assignee: Gary Tully
>             Fix For: 5.6.0
>
>         Attachments: AMQ-3508.txt
>
>
> On September 19, 2011 an exploit of a vulnerability in SSL 3.0 and TLS
> 1.0 (and below) was demonstrated that allows an attacker to decrypt
> communications between 2 parties.  The demonstration was against a
> PayPal Authentication cookie, which took 10 minutes to decipher with
> the aid of a packet sniffer and some hostile javascript running in the
> browser.
> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
> While TLS 1.1 and 1.2 are not vulnerable, these versions are not yet
> commonly available in browsers and JVMs.   Java 6 currently only
> supports TLS 1.0, while Java 7 supports TLS 1.1 and 1.2.  It has not
> yet been announced if a TLS 1.1 provider will be made available for
> Java 6. As of recently, the browser support for TLS can be seen at
> http://en.wikipedia.org/wiki/Transport_Layer_Security#Browser_implementations.
> Google Chrome has already announced imminent support for 1.2 and it
> is expected that the other browsers will follow shortly (see
> http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/).
> Jetty when used with it's default configuration of SSL will use the
> highest common version of TLS available that is shared by the browsers
> and JVM.  Thus if jetty is running on java 7 today, it will
> automatically use TLS 1.1 or 1.2 if it is available in the browser.
> However there is currently no mechanism to disable protocol versions
> within Jetty (unless they are disabled in the JVM).
> Jetty-7.5.2-SNAPSHOT has now been modified to support lists of
> included and excluded protocols in the configuration of the
> SslContextFactory class used to configure SSL clients and server
> connectors.  This will allow TLS 1.0 to be excluded once clients that
> support it are widely deployed. A stable release of 7.5.2 will be
> available next week.
> We strongly recommend that you  upgrade your systems (browser and
> JVMs) to support TLS 1.1 or later.  For Jetty servers, this currently
> means running on java 7.  Until TLS 1.1 is widely available in
> browsers, it is recommended that you evaluate the risks of continuing
> to provide your services over SSL and TLS.
> regards
> _______________________________________________
> jetty-announce mailing list
> jetty-announce@eclipse.org
> https://dev.eclipse.org/mailman/listinfo/jetty-announce

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message