Tomcat 6 and Tomcat 7 enables different TLS protocols by default

Fri, 08 Mar 2013 02:15:25 -0800 

Hi,
As previously discussed on user list [1], HTTPS JSSE Connectors (both BIO and NIO) have different behavior in Tomcat 6 and in Tomcat 7, in terms of enabled TLS/SSL protocols. 

(I repeat the parts from that thread here.)


Tomcat 6 will by default enable SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while 
Tomcat 7 will enable SSLv3 and TLSv1. This is counter-intuitive and 
might introduce problems when upgrading from Tomcat 6 to Tomcat 7.



Reason for this discrepancy is that in Tomcat 6 code, if (undocumented) 
attribute "protocols" is omitted, method socket.setEnabledProtocols is 
not being invoked (JSSESocketFactory, lines 700-702, in tc6.0.x/trunk):


    protected void setEnabledProtocols(SSLServerSocket socket,
            String []protocols){
        if (protocols != null) {
            socket.setEnabledProtocols(protocols);
        }
    }


Default on Oracle JDK 7 (1.7.0_15), when socket.setEnabledProtocols is 
not invoked is to enable SSLv2Hello (pseudo protocol), SSLv3, TLSv1, 
TLSv1.1, TLSv1.2.




In Tomcat 7, when (documented) attribute sslEnabledProtocols is omitted, 
method socket.setEnabledProtocols will be invoked with default protocols 
enabled (JSSESocketFactory linkes 679-681 and line 727, in tc7.0.x/trunk)


        if ((requestedProtocols == null)
                || (requestedProtocols.length == 0)) {
            return context.getDefaultSSLParameters().getProtocols();
        }
   ...
   socket.setEnabledProtocols(enabledProtocols);



Now, here is the catch. Oracle JDK 7 method 
SSLContext.getDefaultSSLParameters().getProtocols() returns SSLv3, TLSv1 
as default protocols, but if you create socket without ever calling 
SSLServerSocket.setEnabledProtocols, than SSLv2Hello (pseudo protocol), 
SSLv3, TLSv1, TLSv1.1, TLSv1.2 will be enabled.



This bizarre behavior from Oracle JDK 7 combined with slight difference 
in Tomcat 6 and Tomcat 7 code results in different TLS/SSL protocols 
being enabled by default.


What do you think, should we do anything about it? We could:

1. Patch Tomcat 6 trunk to call setEnabledProtocols always.

2. Patch Tomcat 7 trunk not to call setEnabledProtocols when protocols 
are not specified.

3. Document the different behavior, and leave it as-is.



I prefer how Tomcat 6 is interpreting that attribute -- trying to enable 
best possible TLS protocol versions available. That is what I would 
expect as a Tomcat user.


-Ognjen

[1] http://www.mail-archive.com/users@tomcat.apache.org/msg104756.html

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to