tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Luehe <Jan.Lu...@Sun.COM>
Subject [PROPOSAL] Add support for enabling/disabling specific SSL cipher suites
Date Thu, 10 Apr 2003 02:02:04 GMT
Problem description:
-------------------
Currently, it is impossible to configure (that is, enable or disable)
a specific subset of cipher suites that an SSL-enabled connector
should present for negotiation with the client during an SSL
handshake, meaning that all the cipher suites supported by the
underlying SSL implementation library are automatically enabled. In
some cases, it would be useful to be able to tailor the set of cipher
suites enabled by the connector.


Proposal:
--------
Add 'cipherSuites' attribute to the <Factory> subelement of
<Connector>. The value of 'cipherSuites' is a comma-separated list of
cipher suite names, optionally preceded by "-" to indicate that a
specific cipher suite should be disabled. If the 'cipherSuites'
attribute is not present, all supported cipher suites are
automatically enabled.


New APIs:
--------
org.apache.coyote.tomcat5.CoyoteServerSocketFactory:
  public String getCipherSuites()
  public void setCipherSuites(String)

org.apache.coyote.tomcat5.CoyoteConnector:
  public String getCipherSuites()
  public void setCipherSuites(String)

These methods will be implemented using a combination of the
getSupportedCipherSuites and setEnabledCipherSuites methods
of javax.net.ssl.SSLServerSocket.


Examples:
--------
Assume the following imaginary cipher suites are supported by the
underlying SSL library:

  cipher1
  cipher2
  cipher3
  cipher4
  cipher5

EXAMPLE 1:

  <Connector ...
    <Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
             cipherSuites="cipher1,cipher2,cipher3"/>
  </Connector>

  Enabled cipher suites: cipher1,cipher2,cipher3

EXAMPLE 2:

  <Connector ...
    <Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
             cipherSuites="-cipher2,-cipher3"/>
  </Connector>

  Enabled cipher suites: cipher1,cipher4,cipher5


Comments?


Jan


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message