tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2
Date Tue, 19 Jul 2011 23:43:25 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51056

--- Comment #5 from Konstantin Kolinko <knst.kolinko@gmail.com> 2011-07-19 23:43:25
UTC ---
Created attachment 27300
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=27300
Drop SSLv2 support in native examples

To apply the patch one has to remove those "a/jni" and "b/jni" prefixes that do
not match the svn source layout. There were changes in sslcontext.c recently,
so the patch does not apply cleanly anymore.

Anyway,
1) tc-native is still used on old systems, like Tomcat 5.5, and thus I don't
feel comfortable removing this feature.

Maybe consider this for trunk of tc-native or postpone until native 1.2 is more
near?

Maybe make this code conditional using some #define, e.g. OpenSSL version?

2) +1 to disable it by default in java code in Tomcat


The patch also updates tc-native examples. I am attaching a part of Damien
Raude-Morvan's patch that modifies the examples, against 1.1.x branch of
tomcat/native.


Regarding the examples:
* examples/org/apache/tomcat/jni/SSLServer.java:
 OK for the change
* examples/org/apache/tomcat/jni/SSL.properties:
 -1:
 First, if I understand the old value correctly, it enables "ALL" ciphers, then
shifts SSLv2 to the end of the list by priority. Removing SSLv2 moves it to the
front of the list and that is wrong. To disable it, one can write !SSLv2

 Second, the old value matches whatever default is in Apache HTTPD 2.2, see

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

Apache HTTPD 2.3 docs say that default depends on OpenSSL version, without
providing further specifics. I do not see the value in the code - I think it
comes from OpenSSL.

OpenSSL docs say that the default value is DEFAULT and it is determined at
compile time.

 http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS

Apparently for OpenSSL 1.0.0 the correct value to be used as default will be
literally "DEFAULT".

The above mentioned OpenSSL docs say that for 1.0.0 the default value is
normally "ALL:!aNULL:!eNULL". This is not true for the copy of OpenSSL 1.0.0d
that I have. The command to list ciphers, "openssl ciphers -v <cipherslist>"
does not list SSLv2 ciphers for DEFAULT, but does mention one SSLv2 cipher for 
"ALL:!aNULL:!eNULL".

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message