tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 53952] Add support for TLS 1.1 and 1.2
Date Thu, 04 Apr 2013 21:02:26 GMT

--- Comment #17 from Marcel Ĺ ebek <> ---
The problem is following. OpenSSL 0.9.8y defines SSL_OP_PKCS1_CHECK_{1,2} as
0x08000000L and 0x10000000L while OpenSSL 1.0.1e uses the same values for
SSL_OP_NO_TLSv1_{1,2}, and defines SSL_OP_PKCS1_CHECK_{1,2} as zero. Therefore,
java code calling hasOp with SSL_OP_NO_TLSv1_{1,2} succeeds against both 0.9.8
and 1.0.1. I see no perfect solution, but quite a good way to overcome this
issue is to drop SSL_OP_PKCS1_CHECK_* from supported_ssl_opts. Then, these OP's
cannot be tested via hasOp, but the flags seem to be unused anyway, according
to the comment in 1.0.1e:

/* These next two were never actually used for anything since SSLeay
 * zap so we have some more flags.

I'll send fixed patches in a moment. They have been tested (with JBoss, as
before) against both 0.9.8y and 1.0.1e. I've also tested newer java against old
tcnative, and it works correctly (enabling one of the newer protocols causes a

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message