qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPIDJMS-38) updates to SSL/TLS configuration and/or handling
Date Fri, 17 Apr 2015 09:42:59 GMT

    [ https://issues.apache.org/jira/browse/QPIDJMS-38?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14499551#comment-14499551
] 

ASF subversion and git services commented on QPIDJMS-38:
--------------------------------------------------------

Commit 00d746a6e1424fb709fb5151d991e4cabdaded45 in qpid-jms's branch refs/heads/master from
Robert Gemmell
[ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=00d746a ]

QPIDJMS-38: add more tests around the disabledProtocols option


> updates to SSL/TLS configuration and/or handling
> ------------------------------------------------
>
>                 Key: QPIDJMS-38
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-38
>             Project: Qpid JMS
>          Issue Type: Improvement
>          Components: qpid-jms-client
>            Reporter: Robbie Gemmell
>            Assignee: Robbie Gemmell
>             Fix For: 0.2.0
>
>
> Some updates to our SSL/TLS configuration and/or handling:
> For 0.1.0 the docs said we dont set a default value for the 'enabledProtocols' transport
option, relying on the JVM defaults if none were configured explicitly. however the code actually
did have a default. One of those enabled was the SSLv2Hello pseudo protocol, which would make
the older Hello format be used even for TLS connections, even though this behaviour is now
disabled by default for client connections since Java 7. The code will be updated to remove
the transport configuration default and let it do what the docs said by using the defaults
given when creating the SSLEngine from the SSLContext. This will mean that any newer protocols
will be useable as they become available and that we wont explicitly enable protocols by default
that might become disabled for security reasons (e.g like SSLv3 has been disabled in many
JVMs now). The transport code will be updated to explicitly diasable SSLv2Hello and SSLv3
rather than relying on them not being configured as enabled.
> The SSLContext instance is created using a hard coded protocol option of "TLS" currently.
This should be configurable to allow users to choose the value most appropriate to their needs/JVM.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message