tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 51477] Fix for 51073 Breaks SSLv3+TLSv1 Protocol Support in APR Connector
Date Tue, 05 Jul 2011 18:50:45 GMT

Rainer Jung <> changed:

           What    |Removed                     |Added
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |

--- Comment #7 from Rainer Jung <> 2011-07-05 18:50:45 UTC ---
I checked the code of tcnative and of mod_ssl. Both have provisions for
arbitrary combinations in SSLProtocol.

The way it works is there's a basic protocol selection in OpenSSL and then you
can remove parts by adding an option.

The possible basic settings are SSLv2, SSLv3, TLSv1 and SSLv23. All except for
the last one *only* understand that specific protocol, the last one understand
SSLv2, SSLv3 *and* TLSv1, so this is "all".

For arbitrary combinations one chooses SSLv23 and then removes the protocols
one doesn't want via SSL_CTX_set_options() using the options SSL_OP_NO_SSLv2,

In tcnative in sslcontext.c there seems to be a bug in choosing SSLv2 if the
configured protocol is SSLv2+TLSv1 and choosing SSLv3 if it is SSLv3+TLSv1. I'd
say in both cases it should be SSLv23, because neither SSLV2 not SSLV3 support
TLSv1. The additional protocol in SSLv23 is later removed via the options.

Fortunately those combinations do not yet get passed down by
But yes, it'd be easy to support any combination.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message