On 28/01/2016 15:47, Rainer Jung wrote:
> My first thoughts:
> 
> - DH small subgroups (CVE-2016-0701)
> 
> Our native code sets SSL_OP_SINGLE_DH_USE in sslcontext.c (in the native
> impl of SSLContext.make()). This is true for trunk and 1.1.x. This
> should suffice to not being exposed to the problem. It is a bit
> unfortunate though, that the adisory uses lists of conditions without
> explaining whether one should "and" or "or" them...
> 
> - SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
> 
> In trunk (used for 1.2) we always set SSL_OP_NO_SSLv2 unconditionally
> since r1681982 (2015-05-27). So 1.2 should have no problem here. 1.1
> does not set the flag, but when using in Tomcat one should be able to
> mitigat ethe problem by setting SSLProtocol. So 1.1 does likely only
> have the problem as a library.
> 
> - An update on DHE man-in-the-middle protection (Logjam)
> 
> Is about clients, so only relevant to native as a lib, not for Tomcat.
> 
> So I think we don't *need* a new tcnative. More eyes/thoughts welcome.
Having reviewed the OpenSSL announcement and the tomcta-native code, I
agree with your assessment.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to