tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: [PROPOSAL] Add support for enabling/disabling specific SSL cipher suites
Date Thu, 10 Apr 2003 07:10:33 GMT

----- Original Message -----
From: "Jan Luehe" <Jan.Luehe@Sun.COM>
To: <tomcat-dev@jakarta.apache.org>
Sent: Wednesday, April 09, 2003 7:02 PM
Subject: [PROPOSAL] Add support for enabling/disabling specific SSL cipher
suites


> Problem description:
> -------------------
> Currently, it is impossible to configure (that is, enable or disable)
> a specific subset of cipher suites that an SSL-enabled connector
> should present for negotiation with the client during an SSL
> handshake, meaning that all the cipher suites supported by the
> underlying SSL implementation library are automatically enabled. In
> some cases, it would be useful to be able to tailor the set of cipher
> suites enabled by the connector.
>
>
> Proposal:
> --------
> Add 'cipherSuites' attribute to the <Factory> subelement of
> <Connector>. The value of 'cipherSuites' is a comma-separated list of
> cipher suite names, optionally preceded by "-" to indicate that a
> specific cipher suite should be disabled. If the 'cipherSuites'
> attribute is not present, all supported cipher suites are
> automatically enabled.
>

+1.

>
> New APIs:
> --------
> org.apache.coyote.tomcat5.CoyoteServerSocketFactory:
>   public String getCipherSuites()
>   public void setCipherSuites(String)
>
> org.apache.coyote.tomcat5.CoyoteConnector:
>   public String getCipherSuites()
>   public void setCipherSuites(String)
>

-0. Not really a Connector issue.  SSL is handled at a lower level, and is
hidden from the web-app.  Since it is also meaningless for Jk Connectors, I
may change this to -1.

> These methods will be implemented using a combination of the
> getSupportedCipherSuites and setEnabledCipherSuites methods
> of javax.net.ssl.SSLServerSocket.
>

-1.  We've done a lot of work to seperate Tomcat from JSSE.  I don't want to
back-slide now.

>
> Examples:
> --------
> Assume the following imaginary cipher suites are supported by the
> underlying SSL library:
>
>   cipher1
>   cipher2
>   cipher3
>   cipher4
>   cipher5
>
> EXAMPLE 1:
>
>   <Connector ...
>     <Factory
className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
>              cipherSuites="cipher1,cipher2,cipher3"/>
>   </Connector>
>
>   Enabled cipher suites: cipher1,cipher2,cipher3
>
> EXAMPLE 2:
>
>   <Connector ...
>     <Factory
className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
>              cipherSuites="-cipher2,-cipher3"/>
>   </Connector>
>
>   Enabled cipher suites: cipher1,cipher4,cipher5
>
>
> Comments?
>
>
> Jan
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message