DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=29695>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29695 regression in SSL cipher strength [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From [EMAIL PROTECTED] 2004-06-29 08:24 ------- This is very irritating. So far, I thought that the open-source philosophy is about everybody contributing what she or he can. In this spirit, it should be o.k. if somebody only describes a symptom of a problem, but doesn't give the solution at the same time. Sure, such symptoms may go unresolved/unanswered if no one else is affected by them. And since those "free testers" are not paid, their "hit rate and description quality" may be lower than when paid testers are used. But that (without any apparent effort to reproduce the issue by the bug-committer) such a symptom description gets resolved as "invalid" appears to be quite alarming - are the bug-committers of the tomcat project interested in constructive(!) feedback at all? Especially if it is in the security domain, it is dangerous to claim a problem doesn't exist just because one doesn't feel like spending time on it. Sure, this is not openBSD nor is it a major security hole and thus I didn't expect that everybody would jump to fix it, but something that can be reproduced without any effort to be declared invalid is very strange. So far, I told my clients: "and if you use an opensource browser such as Mozilla, you even get double strength payload encryption!" - this unfortunately no longer holds with tomcat 5. As per the issue - I could easily provide screenshots, server.xml files etc. and I did ask Remy in a private conversation that unfortunately was never answered: <<From: Ralf Hauser [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 2:05 PM To: '[EMAIL PROTECTED]' Subject: Re: Regression in SSL cipher strength Remy, I am happy to give you more details. It is really "ceteris paribus" - the only change is that I use v4 or v5 of Tomcat. Same application as before, same certificates. Where would you need more background info in order to further consider this? Regards Ralf>> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
