tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shan, Justine" <justine.s...@sap.com>
Subject RE: Tomcat encryption algorithms
Date Wed, 20 Jan 2010 19:15:15 GMT
Thank you so much for the answer!

Regarding the classification, please see the link below: 
http://www.apache.org/licenses/exports/

scroll down to the product Apache Tomcat. It says it's 5D002. I also reached to Apache Legal
to verify but haven't heard anything back. 

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Wednesday, January 20, 2010 11:10 AM
To: Tomcat Users List
Subject: Re: Tomcat encryption algorithms

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Justine,

On 1/20/2010 1:52 PM, Shan, Justine wrote:
> As far as I know, the only encryption implemented by Tomcat itself
> is SSL.

SSL is a strategy of securely transmitting data, which uses encryption.
Technically speaking, Tomcat does not /implement/ SSL, but rather uses
the JVM's SSL libraries to provide HTTP over SSL.

> But I need to know what exactly algorithms have been implemented and
> distributed with the binary from Apache Tomcat 5.X and 6.

Tomcat does not ship with any cryptographic algorithms.

> To my understanding, Tomcat relies on the JVM or JCE installed on
> the user's machine to implement SSL, which implies Tomcat doesn't
> ship any cryptographic algorithms but only implements SSL protocol.

Correct.

> On the other hand, from the Legal page Tomcat is classified as 5D002,
> strong cryptography.

Would you care to provide a reference? I can find none of the following
strings on the "Legal" page for Tomcat
(http://tomcat.apache.org/legal.html): "crypt", "5D002", "classif", or
anything like that.

> This implies Tomcat does contain (and thus ships with) encryption
> implementation. And I need to know what exactly algorithms are
> implemented.

Again, none are implemented: everything is implemented by the JRE/JVM or
a 3rd-party library, if you choose to install and configure one (such as
Bouncy Castle... I'm sure there are others).

If you just want to know which algorithms are available to your JDK, you
can write a bit of code to dump-out that information, but it depends
entirely on your environment.

Tomcat also allows you to use OpenSSL as an SSL provider (using the APR
native library) which may provide a different set of encryption
algorithms to Tomcat.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktXVRAACgkQ9CaO5/Lv0PBorwCgprlSVdu1ly0DWdpvA8PS2nZV
61MAoII8HcPJ2nTTCSTflA3Ic3q2PSRb
=Xnhn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message