qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPIDJMS-38) updates to SSL/TLS configuration and/or handling
Date Wed, 15 Apr 2015 14:01:59 GMT

    [ https://issues.apache.org/jira/browse/QPIDJMS-38?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14496207#comment-14496207

ASF subversion and git services commented on QPIDJMS-38:

Commit cf732f90138186a8486bfb4df47880724cfc527d in qpid-jms's branch refs/heads/master from
Robert Gemmell
[ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=cf732f9 ]

QPIDJMS-39: Add some initial tests to ensure the config options are wired up. Need more to
ensure the options take effect.

Also catches and fixes a defect in changes for QPIDJMS-38.

> updates to SSL/TLS configuration and/or handling
> ------------------------------------------------
>                 Key: QPIDJMS-38
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-38
>             Project: Qpid JMS
>          Issue Type: Improvement
>          Components: qpid-jms-client
>            Reporter: Robbie Gemmell
>            Assignee: Robbie Gemmell
>             Fix For: 0.2.0
> Some updates to our SSL/TLS configuration and/or handling:
> For 0.1.0 the docs said we dont set a default value for the 'enabledProtocols' transport
option, relying on the JVM defaults if none were configured explicitly. however the code actually
did have a default. One of those enabled was the SSLv2Hello pseudo protocol, which would make
the older Hello format be used even for TLS connections, even though this behaviour is now
disabled by default for client connections since Java 7. The code will be updated to remove
the transport configuration default and let it do what the docs said by using the defaults
given when creating the SSLEngine from the SSLContext. This will mean that any newer protocols
will be useable as they become available and that we wont explicitly enable protocols by default
that might become disabled for security reasons (e.g like SSLv3 has been disabled in many
JVMs now). The transport code will be updated to explicitly diasable SSLv2Hello and SSLv3
rather than relying on them not being configured as enabled.
> The SSLContext instance is created using a hard coded protocol option of "TLS" currently.
This should be configurable to allow users to choose the value most appropriate to their needs/JVM.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message