mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff MAURY <jeffma...@jeffmaury.com>
Subject Re: Back to code
Date Tue, 29 Apr 2014 19:21:18 GMT
Hello,

I don't think we should remove this feature, at least, we should make it
optional and disable it by default.
Please note that as TLS will evolve to fix the vulnerabilities, supporting
it means we should be able to have a better support with future JDKs.

Jeff


On Tue, Apr 29, 2014 at 9:35 AM, Emmanuel Lécharny <elecharny@gmail.com>wrote:

> Le 4/23/14 5:09 PM, Jeff MAURY a écrit :
> >    - SSL: We've refactored the SSL process to be more event oriented,
> but I
> >    think we should complete it, mainly related to rehandshake
>
> After having read this :
>
> http://blog.cryptographyengineering.com/2014/04/attack-of-week-triple-handshakes-3shake.html
>
> I'm wondering if it wouldn't be better to explicitely claim that we
> won't support renegociation ?
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


-- 
Jeff MAURY


"Legacy code" often differs from its suggested alternative by actually
working and scaling.
 - Bjarne Stroustrup

http://www.jeffmaury.com
http://riadiscuss.jeffmaury.com
http://www.twitter.com/jeffmaury

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message