tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Anyway to enable just all TLS protocols in APR connector?
Date Fri, 17 Oct 2014 17:25:47 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

On 10/17/14 1:12 PM, Jeffrey Janner wrote:
> Documentation for the APR connector says setting SSLProtocol="all" 
> (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1
> and TLSv1.2 as well.

Why do you think that's the case?

> However, it only seems to accept SSLProtocol strings that includes
> TLSv1, SSLv2, SSLv3 or their combinations.

Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched;
expect new builds soon.

> In other words, there doesn't seem to be a way to specify that you 
> only want all 3 TLS versions and none of the SSL versions. Is
> there something I'm missing?

Nope.

> FYI: I checked Bugzilla on this, and there seems to be some work 
> progressing on coding support, but it also interjected a
> regression to turn SSLv2 back on by default.

This can happen in certain situations, like saying that you want
TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that
case, you get SSLv23 which I believe in OpenSSL means "SSLv3 +
SSLv2Hello" which is only as dangerous as SSLv3 right now.

> The question is, if there is no current "magic string" that Tomcat 
> will accept to enable full TLS support, is this something we will 
> have to wait for 7.0.57 (and the equivalent 6 & 8 versions) to be 
> able to address?

Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4oX1
hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwpousdYwar
/+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1rR4bg
s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY/
pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxMncpC
PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3jddky
kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw6
bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5Q
Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL5w
/OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjNc
e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmxw
PNSWuKf02X3tAJ7ZnDGY
=tLZz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message