tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 57464] Please support for TLS Fallback SCSV
Date Tue, 20 Jan 2015 10:26:56 GMT

Konstantin Kolinko <> changed:

           What    |Removed                     |Added
             Status|NEW                         |NEEDINFO

--- Comment #2 from Konstantin Kolinko <> ---
As far as I am reading this,  the check for presence of TLS_FALLBACK_SCSV
cipher in cipher list provided by client should happen during protocol & cipher
negotiation in TLS/SSL library.

That happens outside of Tomcat control. If the feature is implemented in the
underlying libraries (Java JSSE, OpenSSL) then I think it will be available
automatically, if they would have it "on" by default.

At most Tomcat could provide options to control turning the feature off/on, if
such options are provided by the underlying libraries.

Looking at OpenSSL changelog, this feature is available since 1.0.1j. As far as
I understand, it is "on" by default, and I have not heard of a way to turn it

The following blog post says how to test it:

To clarify: TLS_FALLBACK_SCSV is a generic mechanism to protect from protocol
downgrades. For example it can protect from a TLS 1.2 -> TLS 1.1 downgrade
caused a MITM / unreliable network.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message