tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [VOTE] Release Apache Tomcat 6.0.43
Date Thu, 20 Nov 2014 20:54:18 GMT
Andrew,

On 11/19/14 2:47 AM, Andrew Carr wrote:
> If you review the Tomcat 6 documentation
> here: https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
>  , you will see "sslEnabledProtocols."   On the desc. for that setting
> there are links for Java 6 and Java 7 protocol lists, and they both
> include SSLv2.  Not nitpicking here, just know that I saw it.  I was
> looking at the TC 6 -> Java 6 / 7 documentation because I was working
> with Tomcat 6 and Java 7.

Fair enough. Two thoughts:

1. This is not a regression; it would have happened to any previous
Tomcat 6.x with this JVM version
2. Nobody cares about SSLv2 and it's good that new JVMs will fail to
configure a socket with that protocol enabled

> I understand it is not in the Java 8 documentation.   I attached a
> screenshot.

Nope.

-chris

> On Tue, Nov 18, 2014 at 3:55 PM, Christopher Schultz
> <chris@christopherschultz.net <mailto:chris@christopherschultz.net>> wrote:
> 
>     Andrew,
> 
>     On 11/18/14 2:58 PM, Andrew Carr wrote:
>     > Chris,
>     >
>     > Thank you for the response. I will include the full stack trace next time.
>     >
>     >>
>     >>
>     >>
>     >> Note that, like polio, SSLv2 has been wiped from the face of the planet.
>     >>
>     >> This is not an error. This will not impact anyone of consequence.
>     >>
>     >> You may be looking for "SSLv2Hello".
>     >>
>     >> -chirs
>     >>
>     >>
>     >>
>     > You said that I might be looking for SSLv2Hello, but I am not.  My point
>     > is not the use of SSLv2 because it would be wise, but the fact that the
>     > list of protocols on the Oracle page includes SSLv2.
> 
>     It most certainly *does not*:
> 
>     https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
> 
>     SSLv2 is dead, dead, dead.
> 
>     > This list is referred
>     > to by the tomcat configuration documentation, which would lead someone to
>     > believe this is a valid setting.  Maybe we just add a note about SSLv2?
> 
>     There are notes everywhere that SSLv2 is not trusted.
> 
>     > Maybe it's not important?
> 
>     Not really. Anyone wanting to use SSLv2 should experience abject
>     failure.
> 
>     -chris
> 
> 
> 
> 
> -- 
> With Regards,
> Andrew Carr
> 
> e. andrewlanecarr@gmail.com <mailto:andrewlanecarr@gmail.com>
> w. andrew.carr@openlogic.com <mailto:andrew.carr@openlogic.com>
> h. 4235255668
> c. 4239489852
> a. 101 Francis Drive, Greeneville, TN, 37743
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 


Mime
View raw message