Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 7.1.0.DR16
Affects Version/s: 7.1.0.DR13, 7.1.0.DR16
Component/s: Security
Labels:
- default
- eap71_beta
- management-model
- ssl
- tls

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/736

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The default values of maximum-session-cache-size and session-timeout of Elytron *-ssl-context are 0. This is not safe because SSL sessions can be stored indefinitely. Furthermore, such default settings overwrites default settings in Java, which can be unexpected.

There should be reasonable combination of values, or Java default values should be (let) used.

For example, see http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/SSLSessionContextImpl.java

is cloned by

ELY-1009 Default settings of SSL session caching for Elytron *-ssl-context are not safe

Resolved

is related to

JBEAP-9780 Explain the meaning of and set default values of maximum-session-cache-size and session-timeout

Verified

Assignee:: Ilia Vassilev

Reporter:: Ondrej Kotek

Tester:: Ondrej Kotek

QA Contact:: Ondrej Kotek

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2017/03/10 8:39 AM

Updated:: 2022/08/22 4:35 PM

Resolved:: 2017/04/11 3:33 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates

Hide