https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Mark Thomas changed:
What|Removed |Added
Status|REOPENED|RESOLVED
Resolution|---
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #45 from Mark Woon ---
In reply to comment #43: yes.
I also agree with comment #33 - SSLv2 and SSLv3 should just be removed from the
options.
So glad to see that this is moving forward.
--
You are receiving this mail because
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #44 from Christopher Schultz ---
(In reply to Ralf Hauser from comment #43)
> I guess comment 30 ff. refers to
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 ?
Yes.
Patches are available for all supported ver
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #43 from Ralf Hauser ---
I guess comment 30 ff. refers to
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 ?
--
You are receiving this mail because:
You are the assignee for the bug.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #42 from Christopher Schultz ---
Patch proposed for tc6:
http://people.apache.org/~schultz/patches/53952.tc6.patch
--
You are receiving this mail because:
You are the assignee for the bug.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Brett Randall changed:
What|Removed |Added
CC||javabr...@gmail.com
--
You are re
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Christopher Schultz changed:
What|Removed |Added
Status|RESOLVED|REOPENED
Resolution|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Christopher Schultz changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #39 from Christopher Schultz ---
Fixed in tcnative-trunk in r1632593 and tcnative-1.1.x in r1632595. Will be in
tcnative 1.1.32.
--
You are receiving this mail because:
You are the assignee for the bug.
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Christopher Schultz changed:
What|Removed |Added
Attachment #32114|0 |1
is patch|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Christopher Schultz changed:
What|Removed |Added
Attachment #32115|0 |1
is patch|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #37 from Christopher Schultz ---
I'm looking at Marcel's attachment #30150 and the protocol selection is a bit
verbose though methodical.
It took a bit of thinking to understand why the code does what it does.
Specifically, it
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #36 from Christopher Schultz ---
I'll do another review of the tcnative patch and apply as appropriate.
--
You are receiving this mail because:
You are the assignee for the bug.
---
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #35 from Mark Thomas ---
Agreed. I'll start looking at this today with a view to getting a release out
next week.
--
You are receiving this mail because:
You are the assignee for the bug.
-
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #34 from Christopher Schultz ---
(In reply to jfclere from comment #31)
> Created attachment 32114 [details]
> patch for the issue.
>
> The patch works for me.
> Basically the SSL.java needs the new SSL_PROTOCOL_TLS11 and
> SSL
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #33 from jeffrey.jan...@polydyne.com ---
I was looking at the code for the patch in Comment #32 and noticed that you
introduced a regression. SSLv2 was removed from the ALL list sometime back so
that the default was to not suppor
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
jfclere changed:
What|Removed |Added
CC||jfcl...@gmail.com
--
You are receiving
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #32 from jfclere ---
Created attachment 32115
--> https://issues.apache.org/bugzilla/attachment.cgi?id=32115&action=edit
patch for tc-trunk.
--
You are receiving this mail because:
You are the assignee for the bug.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #31 from jfclere ---
Created attachment 32114
--> https://issues.apache.org/bugzilla/attachment.cgi?id=32114&action=edit
patch for the issue.
The patch works for me.
Basically the SSL.java needs the new SSL_PROTOCOL_TLS11 and
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Mark Woon changed:
What|Removed |Added
CC||markw...@gmail.com
--- Comment #30 fro
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Mark Hobden changed:
What|Removed |Added
CC||m...@mclgm.net
--
You are receiving
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #29 from Christopher Schultz ---
(In reply to Mudassir Aftab from comment #27)
> Comment on attachment 29433 [details]
> patch for tomcat trunk that adds support for newer TLS versions
>
> This patch is not working for me
>
>
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #28 from Mudassir Aftab ---
Comment on attachment 29433
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29433
patch for tomcat trunk that adds support for newer TLS versions
HI,
This patch is not working for me
/o
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Mudassir Aftab changed:
What|Removed |Added
CC||withmudas...@gmail.com
--- Commen
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Ralf Hauser changed:
What|Removed |Added
CC||hau...@acm.org
--- Comment #26 from
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #25 from Marcel Šebek ---
(In reply to Christopher Schultz from comment #23)
> I've taken another look at the (updated) patches. I'm confused by the
> changes to sslcontext.c. It looks like there is no provision for
> combinatio
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #24 from Rainer Jung ---
I suggest we try to stay compatible with the httpd notations:
http://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslprotocol
The code in tcnative that handles the protocol settings was largely borrow
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #23 from Christopher Schultz ---
I've taken another look at the (updated) patches. I'm confused by the changes
to sslcontext.c. It looks like there is no provision for combinations of
SSL/TLS protocols.
For instance, if I reque
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek changed:
What|Removed |Added
Attachment #29459|0 |1
is obsolete|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #21 from Marcel Šebek ---
Actually, the comment came from OpenSSL. Here is part of 1.0.1e ssl.h:
/* These next two were never actually used for anything since SSLeay
* zap so we have some more flags.
*/
/* The next flag delib
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #20 from Christopher Schultz ---
Given the comment in OpenSSL that SSL_OP_PKCS1_CHECK_{1,2} were never used, I
think it's reasonable to use the new symbolic names and remove the old ones.
Note that it will also require a patch t
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek changed:
What|Removed |Added
Attachment #30111|0 |1
is obsolete|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #18 from Marcel Šebek ---
Created attachment 30149
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30149&action=edit
patch dropping SSL_OP_PKCS* from supported_ssl_opts
--
You are receiving this mail because:
You ar
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #17 from Marcel Šebek ---
The problem is following. OpenSSL 0.9.8y defines SSL_OP_PKCS1_CHECK_{1,2} as
0x0800L and 0x1000L while OpenSSL 1.0.1e uses the same values for
SSL_OP_NO_TLSv1_{1,2}, and defines SSL_OP_PKCS1_CHE
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #16 from Marcel Šebek ---
Oops, there seems to be a problem with OpenSSL 0.9.8. Previously, I've tested
1.0.1e and that worked, but the older version seems to have problems with
default protocol set. I currently have no time to
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #15 from Marcel Šebek ---
Created attachment 30112
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30112&action=edit
Patch for jboss-web
Just for the reference, here is the patch for jboss-web that I've tested.
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek changed:
What|Removed |Added
Attachment #29457|0 |1
is obsolete|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek changed:
What|Removed |Added
Attachment #29458|0 |1
is obsolete|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #13 from Christopher Schultz ---
Have you been testing your patch? Last I heard, you had only compile-tested
it...
If you have some additional evidence that it's working in a test rig, I'm happy
to give it a shot.
--
You are
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #12 from Marcel Šebek ---
Now when there is a known practical attack against RC4 in SSL, we have no
secure ciphersuite in TLS 1.0, and this issue has probably higher priority than
before. What is the reason for not applying this
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #11 from Christopher Schultz ---
(In reply to comment #9)
> In the tomcat part, I rely on the SSL.hasOp functionality to check whether
> the tcnative library supports newer protocols.
Good thing someone fixed that recently ;)
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #10 from Marcel Šebek ---
I've forgot to mention that the patches are compile-tested only.
--
You are receiving this mail because:
You are the assignee for the bug.
-
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek changed:
What|Removed |Added
Attachment #29433|0 |1
is obsolete|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek changed:
What|Removed |Added
Attachment #29435|0 |1
is obsolete|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Marcel Šebek changed:
What|Removed |Added
Attachment #29434|0 |1
is obsolete|
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #6 from Christopher Schultz ---
I like this patch, but since security is involved, I think I'd like to see a
check in the Java code against the (likely) tcnative version that can support
TLSv1.1 and TLSv1.2. We don't want people
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #5 from Christopher Schultz ---
(In reply to comment #3)
> This introduces a compile-time dependency on OpenSSL 1.0.1+.
Retracted: I have successfully built (but not tested) this patch against
tcnative 1.1.x with both OpenSSL 0
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #4 from sebe...@post.cz ---
This is not the case, because the parts of code which depend on the newer
library version are #ifdef'ed. Actually, the patches improve compatibility with
newer openssl versions, as the library may be c
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #3 from Christopher Schultz ---
This introduces a compile-time dependency on OpenSSL 1.0.1+.
--
You are receiving this mail because:
You are the assignee for the bug.
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
sebe...@post.cz changed:
What|Removed |Added
CC||sebe...@post.cz
--
You are recei
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #2 from sebe...@post.cz ---
Created attachment 29435
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29435&action=edit
patch for tcnative 1.1 branch
--
You are receiving this mail because:
You are the assignee for th
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #1 from sebe...@post.cz ---
Created attachment 29434
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29434&action=edit
patch for tcnative trunk that adds support for newer TLS versions
--
You are receiving this mail
52 matches
Mail list logo
