On 31/07/2014 22:50, Mark Thomas wrote: > I'm beginning to think that this feature is more effort than it is worth.
<snip/> > The expected behaviour of this code is that for any given specification: > - passing it through OpenSSL and mapping the resulting ciphers to those > supported by the current JRE; and > - passing it through this parser > > gives the same set of JSSE ciphers in the same order. > > Every time this doesn't happen we have a potential security issue since > a weaker than intended cipher may be enabled. The incorrect handling of > "ALL" that I have just fixed is an obvious example of such an issue. Actually it is worse than that. Any difference is a potential security issue as aliases may be used for inclusion and exclusion. Any differences in the results for an alias could result in a cipher being enabled that shouldn't be. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
