On 01/28/2016 08:48 PM, Mark Thomas wrote: > On 28/01/2016 15:47, Rainer Jung wrote: >> My first thoughts: >> >> - DH small subgroups (CVE-2016-0701) >> >> Our native code sets SSL_OP_SINGLE_DH_USE in sslcontext.c (in the native >> impl of SSLContext.make()). This is true for trunk and 1.1.x. This >> should suffice to not being exposed to the problem. It is a bit >> unfortunate though, that the adisory uses lists of conditions without >> explaining whether one should "and" or "or" them... >> >> - SSLv2 doesn't block disabled ciphers (CVE-2015-3197) >> >> In trunk (used for 1.2) we always set SSL_OP_NO_SSLv2 unconditionally >> since r1681982 (2015-05-27). So 1.2 should have no problem here. 1.1 >> does not set the flag, but when using in Tomcat one should be able to >> mitigat ethe problem by setting SSLProtocol. So 1.1 does likely only >> have the problem as a library. >> >> - An update on DHE man-in-the-middle protection (Logjam) >> >> Is about clients, so only relevant to native as a lib, not for Tomcat. >> >> So I think we don't *need* a new tcnative. More eyes/thoughts welcome. > > Having reviewed the OpenSSL announcement and the tomcta-native code, I > agree with your assessment.
So I will process with the tomcat6 release process during the week-end to get a release during next week. Cheers Jean-Frederic > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
