tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 51073] New: Misconfigured SSLProtocol with an AprEndpoint silently falls back to ALL
Date Sat, 16 Apr 2011 04:20:27 GMT

           Summary: Misconfigured SSLProtocol with an AprEndpoint silently
                    falls back to ALL
           Product: Tomcat 7
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Connectors

When configuring tomcat with an SSL Connector with an AprEndpoint (using the
Http11AprProtocol) if you misconfigure the SSLProtocol, the it silently falls
back to "all" which can be very dangerous.

For example this configuration may seem convincing:
    ...Other SSL configuration...
    SSLProtocol="-ALL +SSLv3 +TLSv1" 

The Documentation states valid values for the SSL protocol, but if the values
don't line up exactly it defaults to "ALL" 
SSLProtocol: 'Protocol which may be used for communicating with clients. The
default is "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1"
and "SSLv2+SSLv3".'

Misconfiguration of an SSLProtocol should never silently fall back to enabling
all protocols.  At minimum, misconfiguration of this value should result in
logged error messages.  Since SSLv2 is vulnerable to several attacks known to
have some serious security flaws even allowing the possibility of
man-in-the-middle attacks, I think a misconfiguration should cause the
connector to fail.


I think that "all" should be specifically allowed (along with "" or null), and
all other unexpected values should fail loudly.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message