Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-3508

SSL and TLS - Support list of included and excluded protocols

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.6.0
    • 5.6.0
    • Connector, Transport
    • None
    • JDK7, RHEL5

    Description

      On September 19, 2011 an exploit of a vulnerability in SSL 3.0 and TLS
      1.0 (and below) was demonstrated that allows an attacker to decrypt
      communications between 2 parties. The demonstration was against a
      PayPal Authentication cookie, which took 10 minutes to decipher with
      the aid of a packet sniffer and some hostile javascript running in the
      browser.

      http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

      While TLS 1.1 and 1.2 are not vulnerable, these versions are not yet
      commonly available in browsers and JVMs. Java 6 currently only
      supports TLS 1.0, while Java 7 supports TLS 1.1 and 1.2. It has not
      yet been announced if a TLS 1.1 provider will be made available for
      Java 6. As of recently, the browser support for TLS can be seen at
      http://en.wikipedia.org/wiki/Transport_Layer_Security#Browser_implementations.
      Google Chrome has already announced imminent support for 1.2 and it
      is expected that the other browsers will follow shortly (see
      http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/).

      Jetty when used with it's default configuration of SSL will use the
      highest common version of TLS available that is shared by the browsers
      and JVM. Thus if jetty is running on java 7 today, it will
      automatically use TLS 1.1 or 1.2 if it is available in the browser.
      However there is currently no mechanism to disable protocol versions
      within Jetty (unless they are disabled in the JVM).

      Jetty-7.5.2-SNAPSHOT has now been modified to support lists of
      included and excluded protocols in the configuration of the
      SslContextFactory class used to configure SSL clients and server
      connectors. This will allow TLS 1.0 to be excluded once clients that
      support it are widely deployed. A stable release of 7.5.2 will be
      available next week.

      We strongly recommend that you upgrade your systems (browser and
      JVMs) to support TLS 1.1 or later. For Jetty servers, this currently
      means running on java 7. Until TLS 1.1 is widely available in
      browsers, it is recommended that you evaluate the risks of continuing
      to provide your services over SSL and TLS.

      regards
      _______________________________________________
      jetty-announce mailing list
      jetty-announce@eclipse.org
      https://dev.eclipse.org/mailman/listinfo/jetty-announce

      Attachments

        1. AMQ-3508.txt
          30 kB
          Timothy A. Bish

        Issue Links

          Activity

            People

              gtully Gary Tully
              actyahflo Fengming Lou
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: