On 28/01/2016 15:47, Rainer Jung wrote: > My first thoughts: > > - DH small subgroups (CVE-2016-0701) > > Our native code sets SSL_OP_SINGLE_DH_USE in sslcontext.c (in the native > impl of SSLContext.make()). This is true for trunk and 1.1.x. This > should suffice to not being exposed to the problem. It is a bit > unfortunate though, that the adisory uses lists of conditions without > explaining whether one should "and" or "or" them... > > - SSLv2 doesn't block disabled ciphers (CVE-2015-3197) > > In trunk (used for 1.2) we always set SSL_OP_NO_SSLv2 unconditionally > since r1681982 (2015-05-27). So 1.2 should have no problem here. 1.1 > does not set the flag, but when using in Tomcat one should be able to > mitigat ethe problem by setting SSLProtocol. So 1.1 does likely only > have the problem as a library. > > - An update on DHE man-in-the-middle protection (Logjam) > > Is about clients, so only relevant to native as a lib, not for Tomcat. > > So I think we don't *need* a new tcnative. More eyes/thoughts welcome.
Having reviewed the OpenSSL announcement and the tomcta-native code, I agree with your assessment. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org