svn commit: r1633726 - /tomcat/tc6.0.x/trunk/STATUS.txt

Wed, 22 Oct 2014 15:58:32 -0700 

Author: kkolinko
Date: Wed Oct 22 22:57:19 2014
New Revision: 1633726

URL: http://svn.apache.org/r1633726
Log:
Update vote and comment

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1633726&r1=1633725&r2=1633726&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Oct 22 22:57:19 2014
@@ -60,17 +60,24 @@ PATCHES PROPOSED TO BACKPORT:
 * Mitigate POODLE by disabling SSLv3 by default for JSSE
   http://people.apache.org/~markt/patches/2014-10-21-poodle-tc6-v2.patch
   +1: markt, schultz
+  +1: kkolinko (several comments below)
   -1:
-  -0: kkolinko: I think that JSSESocketFactory.getEnabledProtocols() shall
-       not return DEFAULT_SERVER_PROTOCOLS list in case if there are no
-       matches. This behaviour silently enables default list of protocols,
-       instead of erroring out.
-       This bug did exist before this patch, so I filed
-        https://issues.apache.org/bugzilla/show_bug.cgi?id=57116
-
-       I wish there were some debug logging to see what protocols are being
-       filtered out by "if (protocol.contains("SSL"))".
-       markt: Addressed in v2 patch
+   kkolinko:
+     Good.
+     I think this makes BZ 57116 fixed as well.
+     Several notes:
+      1) From BZ 56780 the static{} block in JSSESocketFactory
+       needs try/catch(IllegalArgumentException),
+       like it is already done in Tomcat 7 in r1615951
+
+      2) In getEnabledProtocols() the
+        "if (requestedProtocols == null) { return DEFAULT_SERVER_PROTOCOLS; }"
+       block can be moved several lines earlier.
+
+      3) From BZ 56780 the DEFAULT_SERVER_PROTOCOLS value might result as
+      null. I am afraid that passing that null to Java APIs will result in
+      some cryptic messages. This question may be addressed later via BZ 56780.
+        https://issues.apache.org/bugzilla/show_bug.cgi?id=56780#c9
 
       schultz: it's not clear from the code what will happen if
                DEFAULT_SERVER_PROTOCOLS remains null. Would it be more clear



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to