[keycloak-dev] Blacklisting/document broken protocols
Bruno Oliveira
bruno at abstractj.org
Tue Mar 1 15:25:05 EST 2016
Ahoy, today I was reading about this "new" vulnerability on TLS (
http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html).
And was wondering if we should blacklist or document broken protocols.
Preventing people to deploy Keycloak in non secure environments.
Something like was already suggested for Poodle here:
http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
Snippet:
SSLSocket sslSocket = sslSocketFactory.createSocket(...);
// Strip "SSLv3" from the current enabled protocols.
String[] protocols = sslSocket.getEnabledProtocols();
Set<String> set = new HashSet<>();
for (String s : protocols) {
if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
continue;
}
set.add(s);
}
sslSocket.setEnabledProtocols(set.toArray(new String[0]));
Should we document? Blacklist? Or leave it as is?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160301/7c18f2ca/attachment.html
More information about the keycloak-dev
mailing list