All,
The sslProtocol and sslEnabledProtocols configuration attributes on
<Connector> are potentially confusing to people, and there really isn't
any reason for it.
There is really never any reason to change sslProtocol from the default
which is "TLS" because:
1. "TLS" actually enables SSLv3 when SSLv3 is available (which is rare
these days)
2. "TLS" covers all current and likely future versions of the protocol
3. sslEnabledProtocols exists to tweak exactly which of many
protocol-versions are actually being used
The only reason we have sslProtocol vs sslEnabledProtocols is because of
the Java API details; there is no need to present this complexity to users.
Initially, this was going to be a proposal to simply *remove*
sslProtocol altogether and fix its value at "TLS" forever, and then
treat both sslProtocol and sslEnabledProtocols as aliases for each
other. Just choose the longer of the two non-default values assuming
that "TLSv1.2" would be longer than "TLS", and so we would enable only
TLSv1.2 if it were specified in sslProtocol and not sslEnabledProtocols.
But my guess is that there are some weird circumstances where someone
might actually want to change that value.
So my proposal instead of to change the documentation for sslProtocol to
simple say:
"This should always be left at the default value of 'TLS'."
Then, the documentation for sslEnabledProtocols can be changed to "list
of protocol versions to enable e.g. SSLv3, TLSv1.2, etc.".
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
