Problem description:
-------------------
Currently, it is impossible to configure (that is, enable or disable)
a specific subset of cipher suites that an SSL-enabled connector
should present for negotiation with the client during an SSL
handshake, meaning that all the cipher suites supported by the
underlying SSL implementation library are automatically enabled. In
some cases, it would be useful to be able to tailor the set of cipher
suites enabled by the connector.
Proposal:
--------
Add 'cipherSuites' attribute to the <Factory> subelement of
<Connector>. The value of 'cipherSuites' is a comma-separated list of
cipher suite names, optionally preceded by "-" to indicate that a
specific cipher suite should be disabled. If the 'cipherSuites'
attribute is not present, all supported cipher suites are
automatically enabled.
New APIs:
--------
org.apache.coyote.tomcat5.CoyoteServerSocketFactory:
public String getCipherSuites()
public void setCipherSuites(String)
org.apache.coyote.tomcat5.CoyoteConnector:
public String getCipherSuites()
public void setCipherSuites(String)
These methods will be implemented using a combination of the
getSupportedCipherSuites and setEnabledCipherSuites methods
of javax.net.ssl.SSLServerSocket.
Examples:
--------
Assume the following imaginary cipher suites are supported by the
underlying SSL library:
cipher1
cipher2
cipher3
cipher4
cipher5
EXAMPLE 1:
<Connector ...
<Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
cipherSuites="cipher1,cipher2,cipher3"/>
</Connector>
Enabled cipher suites: cipher1,cipher2,cipher3
EXAMPLE 2:
<Connector ...
<Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
cipherSuites="-cipher2,-cipher3"/>
</Connector>
Enabled cipher suites: cipher1,cipher4,cipher5
Comments?
Jan
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
|