https://bz.apache.org/bugzilla/show_bug.cgi?id=61803
Bug ID: 61803 Summary: Documentation for sslEnabledProtocols describes the incorrect way to set this option Product: Tomcat 8 Version: 8.5.23 Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Documentation Assignee: dev@tomcat.apache.org Reporter: simon.daw...@sas.com Target Milestone: ---- In webapps/docs/security-howto.xml the following documentation is provided for the sslEnabledProtocols option. 304 <p>The <strong>sslEnabledProtocols</strong> attribute determines which 305 versions of the SSL/TLS protocol are used. Since the POODLE attack in 306 2014, all SSL protocols are considered unsafe and a secure setting for 307 this attribute in a standalone Tomcat setup might be 308 <code>sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"</code></p> This documentation also includes an example of setting this option. When this is syntax is used you get the following warning text printed into the log. WARN - The protocol [TLSv1.1] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing. Inside org/apache/tomcat/util/net/SSLHostConfig.java there is a comment describing the expected format for this options and how its parsed. 441 // List of protocol names, separated by ",", "+" or "-". 442 // Semantics is adding ("+") or removing ("-") from left 443 // to right, starting with an empty protocol set. 444 // Tokens are individual protocol names or "all" for a 445 // default set of supported protocols. 446 // Separator "," is only kept for compatibility and has the 447 // same semantics as "+", except that it warns about a potentially 448 // missing "+" or "-". I've never written a patch before but I'm keen to assist if I can get some guidance. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org