[rfc][icedtea-web] https probing
Omair Majid
omajid at redhat.com
Mon Aug 18 18:46:06 UTC 2014
Hi,
* Jacob Wisor <gitne at gmx.de> [2014-08-11 12:12]:
> On 08/08/2014 10:37 AM, Jiri Vanek wrote:
> >Unluckily this fix patch is not helping obscure servers to do exists.
> >It really fixes bugs.
> >
> >First part of fix is delivered to be able handle SSLv2 handshake, Those servers
> >do exists, and have no reason nor need to update or patch or whatever. We are
> >wrong by not allowing it right now.
> >See System.setProperty("https.protocols", "SSLv3,SSLv2Hello"); in code.
>
> Oh yes they do need fixing. SSLv2 is insecure and has been revoked by the
> IETF, period. Nobody should be using it. Even SSL 3.0 is deemed by the IETF
> as historic (https://datatracker.ietf.org/doc/rfc6101) although it is
> largely identical to TLS 1.0. Nevertheless, nobody should be using it
> either. Just one of many reasons is that it does not even support such a
> common hash algorithm as SHA1 (which by the way has been deprecated by NIST
> in favor of SHA256 too). Everybody should really upgrade to at least TLS
> 1.0, even though possible security leaks have been discovered in TLS 1.0 on
> specific configuration settings permutations.
>
> DO NOT use SSL anymore and DO NOT promote them in your software. Upgrade to TLS.
This isn't SSv2, though. It's a SSLv2 hello packet wrapping an SSLv3
packet: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=4915862
It's actually part of the TLS 1.0 spec:
https://www.ietf.org/rfc/rfc2246.txt, Appendix E.
Thanks,
Omair
--
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681
More information about the distro-pkg-dev
mailing list