tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57464] Please support for TLS Fallback SCSV
Date Tue, 20 Jan 2015 10:26:56 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=57464

Konstantin Kolinko <knst.kolinko@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #2 from Konstantin Kolinko <knst.kolinko@gmail.com> ---
As far as I am reading this,  the check for presence of TLS_FALLBACK_SCSV
cipher in cipher list provided by client should happen during protocol & cipher
negotiation in TLS/SSL library.

That happens outside of Tomcat control. If the feature is implemented in the
underlying libraries (Java JSSE, OpenSSL) then I think it will be available
automatically, if they would have it "on" by default.

At most Tomcat could provide options to control turning the feature off/on, if
such options are provided by the underlying libraries.


Looking at OpenSSL changelog, this feature is available since 1.0.1j. As far as
I understand, it is "on" by default, and I have not heard of a way to turn it
off.

The following blog post says how to test it:
https://dwradcliffe.com/2014/10/16/testing-tls-fallback.html


To clarify: TLS_FALLBACK_SCSV is a generic mechanism to protect from protocol
downgrades. For example it can protect from a TLS 1.2 -> TLS 1.1 downgrade
caused a MITM / unreliable network.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message