Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6461F6D40 for ; Tue, 19 Jul 2011 23:43:55 +0000 (UTC) Received: (qmail 32575 invoked by uid 500); 19 Jul 2011 23:43:54 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 32449 invoked by uid 500); 19 Jul 2011 23:43:53 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 32440 invoked by uid 99); 19 Jul 2011 23:43:53 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jul 2011 23:43:53 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.115] (HELO eir.zones.apache.org) (140.211.11.115) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jul 2011 23:43:47 +0000 Received: by eir.zones.apache.org (Postfix, from userid 80) id 896F748258; Tue, 19 Jul 2011 23:43:26 +0000 (UTC) From: bugzilla@apache.org To: dev@tomcat.apache.org Subject: DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2 Date: Tue, 19 Jul 2011 23:43:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Tomcat Native X-Bugzilla-Component: Library X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: knst.kolinko@gmail.com X-Bugzilla-Status: NEEDINFO X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: dev@tomcat.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=51056 --- Comment #5 from Konstantin Kolinko 2011-07-19 23:43:25 UTC --- Created attachment 27300 --> https://issues.apache.org/bugzilla/attachment.cgi?id=27300 Drop SSLv2 support in native examples To apply the patch one has to remove those "a/jni" and "b/jni" prefixes that do not match the svn source layout. There were changes in sslcontext.c recently, so the patch does not apply cleanly anymore. Anyway, 1) tc-native is still used on old systems, like Tomcat 5.5, and thus I don't feel comfortable removing this feature. Maybe consider this for trunk of tc-native or postpone until native 1.2 is more near? Maybe make this code conditional using some #define, e.g. OpenSSL version? 2) +1 to disable it by default in java code in Tomcat The patch also updates tc-native examples. I am attaching a part of Damien Raude-Morvan's patch that modifies the examples, against 1.1.x branch of tomcat/native. Regarding the examples: * examples/org/apache/tomcat/jni/SSLServer.java: OK for the change * examples/org/apache/tomcat/jni/SSL.properties: -1: First, if I understand the old value correctly, it enables "ALL" ciphers, then shifts SSLv2 to the end of the list by priority. Removing SSLv2 moves it to the front of the list and that is wrong. To disable it, one can write !SSLv2 Second, the old value matches whatever default is in Apache HTTPD 2.2, see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite Apache HTTPD 2.3 docs say that default depends on OpenSSL version, without providing further specifics. I do not see the value in the code - I think it comes from OpenSSL. OpenSSL docs say that the default value is DEFAULT and it is determined at compile time. http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS Apparently for OpenSSL 1.0.0 the correct value to be used as default will be literally "DEFAULT". The above mentioned OpenSSL docs say that for 1.0.0 the default value is normally "ALL:!aNULL:!eNULL". This is not true for the copy of OpenSSL 1.0.0d that I have. The command to list ciphers, "openssl ciphers -v " does not list SSLv2 ciphers for DEFAULT, but does mention one SSLv2 cipher for "ALL:!aNULL:!eNULL". -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org