Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 1.1.0.Beta34
Affects Version/s: 1.1.0.Beta29
Component/s: SSL
Labels:
- default
- management-model
- ssl
- tls

Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/736

The default values of maximum-session-cache-size and session-timeout of Elytron *-ssl-context are 0. This is not safe because SSL sessions can be stored indefinitely. Furthermore, such default settings overwrites default settings in Java, which can be unexpected.

There should be reasonable combination of values, or Java default values should be (let) used.

For example, see http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/SSLSessionContextImpl.java

clones

JBEAP-9481 Default settings of SSL session caching for Elytron *-ssl-context are not safe

Verified

is related to

WFCORE-2570 Explain the meaning of and set default values of maximum-session-cache-size and session-timeout

Resolved

Assignee:: Ilia Vassilev

Reporter:: Ilia Vassilev

Tester:: Ondrej Kotek

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2017/03/16 9:59 AM

Updated:: 2022/08/22 4:37 PM

Resolved:: 2017/07/13 11:01 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates