[jboss-jira] [JBoss JIRA] (ELY-1009) Default settings of SSL session caching for Elytron *-ssl-context are not safe
Ilia Vassilev (JIRA)
issues at jboss.org
Thu Mar 16 10:01:00 EDT 2017
[ https://issues.jboss.org/browse/ELY-1009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ilia Vassilev moved JBEAP-9633 to ELY-1009:
-------------------------------------------
Project: WildFly Elytron (was: JBoss Enterprise Application Platform)
Key: ELY-1009 (was: JBEAP-9633)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: SSL
(was: Security)
Affects Version/s: 1.1.0.Beta29
(was: 7.1.0.DR13)
> Default settings of SSL session caching for Elytron *-ssl-context are not safe
> ------------------------------------------------------------------------------
>
> Key: ELY-1009
> URL: https://issues.jboss.org/browse/ELY-1009
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SSL
> Affects Versions: 1.1.0.Beta29
> Reporter: Ilia Vassilev
> Assignee: Ilia Vassilev
> Priority: Critical
> Labels: default, management-model, ssl, tls
>
> The default values of {{maximum-session-cache-size}} and {{session-timeout}} of Elytron {{*-ssl-context}} are {{0}}. This is not safe because SSL sessions can be stored indefinitely. Furthermore, such default settings overwrites default settings in Java, which can be unexpected.
> There should be reasonable combination of values, or Java default values should be (let) used.
> For example, see http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/SSLSessionContextImpl.java
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list