Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 79803200BFF for ; Tue, 17 Jan 2017 23:49:30 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 787FA160B46; Tue, 17 Jan 2017 22:49:30 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C22A9160B30 for ; Tue, 17 Jan 2017 23:49:29 +0100 (CET) Received: (qmail 897 invoked by uid 500); 17 Jan 2017 22:49:28 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 886 invoked by uid 99); 17 Jan 2017 22:49:28 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jan 2017 22:49:28 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id B2F82180BB7 for ; Tue, 17 Jan 2017 22:49:27 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.999 X-Spam-Level: X-Spam-Status: No, score=0.999 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, SPF_HELO_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id BBaTodsOQBqS for ; Tue, 17 Jan 2017 22:49:25 +0000 (UTC) Received: from mailbox.servedge.com (72.103.82.208.static.ipv4.dnsptr.net [208.82.103.72]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id BE1E15FB0F for ; Tue, 17 Jan 2017 22:49:24 +0000 (UTC) Received: (qmail 535 invoked by uid 513); 17 Jan 2017 16:49:21 -0600 Received: from pool-74-96-79-133.washdc.fios.verizon.net (HELO Christophers-iMac.local) (chris@christopherschultz.net@74.96.79.133) by mailbox.servedge.com with AES128-SHA encrypted SMTP; 17 Jan 2017 16:49:21 -0600 Subject: Re: [OT] Ability to set cipher suites for websocket connections To: Tomcat Users List References: <67c2a89e-cc1c-a1e6-a69e-57e982bbf132@apache.org> <275d9413-4268-4edb-9c5c-0e047ad3cf0a@christopherschultz.net> <2a0d4ff4-c854-c5bd-69f6-73162a1af3fc@apache.org> From: Christopher Schultz Message-ID: <2a2f5b8d-3ca4-7d70-de72-204879e36399@christopherschultz.net> Date: Tue, 17 Jan 2017 17:49:21 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <2a0d4ff4-c854-c5bd-69f6-73162a1af3fc@apache.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit archived-at: Tue, 17 Jan 2017 22:49:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark, On 1/17/17 2:53 PM, Mark Thomas wrote: > On 17/01/2017 19:32, Christopher Schultz wrote: >> Mark, >> >> On 1/17/17 8:39 AM, Mark Thomas wrote: >>> On 17/01/2017 11:23, Michael Orr wrote: >>>> Hi, >>>> >>>> There is a user property >>>> "org.apache.tomcat.websocket.SSL_PROTOCOLS" that you can use >>>> to provide the list of permitted SSL protocols when >>>> connecting to a websocket with WsWebSocketContainer. I was >>>> expecting that there would be a similar property to allow you >>>> to set the list of permitted SSL cipher suites as well. >>>> >>>> I've checked the code (for version 7.0.73, and also >>>> 9.0.0.M15) and there doesn't seem to be any mention of such >>>> an option. I can see it calling >>>> SSLEngine.setEnabledProtocols() but not >>>> SSLEngine.setEnabledCipherSuites(). >>>> >>>> Is there a particular reason why there is no >>>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or >>>> is it simply an oversight? >> >>> No reason I can think of. Patches welcome :) >> >> I'm curious: since the existing (possibly) contains a >> TLS configuration, why does Websocket specifically require a >> separate configuration? > > This is for the WebSocket client, not the server. Hah... of course. *duh* - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYfp9xAAoJEBzwKT+lPKRYXtUP/2nXCnYzF48W3aHwf6ZWKdoR b29zH1GEB7gQH8HB9DbfkKKThJJVjPfOcRdXK5W9Yjg98ay2d6JWuQbgi1zT8sGa 0mr4QBMYluQ7PhUhkWvJtC83ZvaI6jgcI9dsmdjt3hn09FgKS987RO/RBuwoyLLF z3HTCAfSQRlhTS0I7n4cbYIyqhFxTYk2OCp2og8qrqHo+I9zlkuAe39Fuz3QIXUi WaxCO9PFKWmCVqyo91/lqtUxObs1Svs6BMVpVnKBObLRRxOL73qVdoKEkLORVsQg AUdaEZTyQGUGONXNZNzKR6rmGY8wytzzl6ZJpSIg1YZMjRj/DSI+xp0X25bFIyMF Uh5R367lYnKJUcJ6JuWGvi1lw+JwyeL5+WDgac4BuA7ZPZ01XN3NNWOst2yHkPoL N0njcvIlOEXS4UHzpdBRcNlnmPYcC271ED8qT4RbnYA067ZPXaLvcvOS4OgCmlkD LeTsGekVPNswP7P71A2JTFfqxtUcLv3SAV2F3ORbL+FHWAeL+/UAeVBKK/S2UCNu mlqVAEUo5mGLzU/0UsAglHyq+h5BDpxMHDO8ck74MeotDTwEtKle2fJaEe6O/X7F wFPFSFW8G9kYtzMv0p9DvREu5+rc8RIUwf7dzpFYJYb20rlECaAAKV4zOXv8BPQt ZijQj1hGK4wQTaQEXUxT =kJo4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org