On 29/04/2022 19:41, Christopher Schultz wrote:
<snip/>
1. The underlying JVM is affected
2. A Connector is defined with uses mutual TLS
3. The client's key is ECDSA
<snip/>
I was thinking that on startup, we could check for a vulnerable
environment and simply refuse to start the server.
If there are no objections, I was thinking of putting this into the
SecurityListener. I assume that all the necessary information is
available to a LifecycleListener such as being able to enumerate the
Connectors to check on items #2 and #3 above?
My understanding is that a CA with an RSA key can sign a client cert
with an ECDSA key. In that scenario, if the Tomcat system has been
configured with just the CA's trusted cert (a likely scenario since you
don't want to have to updated the trusted certs every time you add a
user) then test #3 won't work.
I'm wondering if we want to introduce a Java version equivalent of the
checks we have for Tomcat Native version. i.e. for each major Java
version, have a minimum required version where Tomcat won't start if
used and a recommended version where Tomcat starts with a warning.
One of the arguments against adding checks like these is that they only
work if folks update Tomcat. If folks are updating Tomcat regularly then
they are likely updating the JRE too. So I wonder what the return on the
investment is.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
