My first thoughts:
- DH small subgroups (CVE-2016-0701)
Our native code sets SSL_OP_SINGLE_DH_USE in sslcontext.c (in the native
impl of SSLContext.make()). This is true for trunk and 1.1.x. This
should suffice to not being exposed to the problem. It is a bit
unfortunate though, that the adisory uses lists of conditions without
explaining whether one should "and" or "or" them...
- SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
In trunk (used for 1.2) we always set SSL_OP_NO_SSLv2 unconditionally
since r1681982 (2015-05-27). So 1.2 should have no problem here. 1.1
does not set the flag, but when using in Tomcat one should be able to
mitigat ethe problem by setting SSLProtocol. So 1.1 does likely only
have the problem as a library.
- An update on DHE man-in-the-middle protection (Logjam)
Is about clients, so only relevant to native as a lib, not for Tomcat.
So I think we don't *need* a new tcnative. More eyes/thoughts welcome.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
