tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2
Date Tue, 19 Jul 2011 23:43:25 GMT

--- Comment #5 from Konstantin Kolinko <> 2011-07-19 23:43:25
UTC ---
Created attachment 27300
Drop SSLv2 support in native examples

To apply the patch one has to remove those "a/jni" and "b/jni" prefixes that do
not match the svn source layout. There were changes in sslcontext.c recently,
so the patch does not apply cleanly anymore.

1) tc-native is still used on old systems, like Tomcat 5.5, and thus I don't
feel comfortable removing this feature.

Maybe consider this for trunk of tc-native or postpone until native 1.2 is more

Maybe make this code conditional using some #define, e.g. OpenSSL version?

2) +1 to disable it by default in java code in Tomcat

The patch also updates tc-native examples. I am attaching a part of Damien
Raude-Morvan's patch that modifies the examples, against 1.1.x branch of

Regarding the examples:
* examples/org/apache/tomcat/jni/
 OK for the change
* examples/org/apache/tomcat/jni/
 First, if I understand the old value correctly, it enables "ALL" ciphers, then
shifts SSLv2 to the end of the list by priority. Removing SSLv2 moves it to the
front of the list and that is wrong. To disable it, one can write !SSLv2

 Second, the old value matches whatever default is in Apache HTTPD 2.2, see

Apache HTTPD 2.3 docs say that default depends on OpenSSL version, without
providing further specifics. I do not see the value in the code - I think it
comes from OpenSSL.

OpenSSL docs say that the default value is DEFAULT and it is determined at
compile time.

Apparently for OpenSSL 1.0.0 the correct value to be used as default will be
literally "DEFAULT".

The above mentioned OpenSSL docs say that for 1.0.0 the default value is
normally "ALL:!aNULL:!eNULL". This is not true for the copy of OpenSSL 1.0.0d
that I have. The command to list ciphers, "openssl ciphers -v <cipherslist>"
does not list SSLv2 ciphers for DEFAULT, but does mention one SSLv2 cipher for 

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message