On 30/06/2022 17:47, Christopher Schultz wrote:
On 6/30/22 03:35, ma...@apache.org wrote:
<snip/>
+<section name="Unsafe legacy negotiation">
+ <p>
+ Support for unsafe legacy negotiation depends on OpenSSL. Only if
Tomcat
+ Native is compiled with a build of OpenSSL that supports legacy
renegotiation
+ will Tomcat Native support it.
+ </p>
Does this mean it's /possible/ (and configurable) to use Unsafe Legacy
Negotiation, or does it mean that it's always-on for openssl builds
where it's there, and always-off when it's not there?
It means that it is possible, configurable and disabled by default to
use unsafe legacy negotiation unless OpenSSL has been compiled with that
functionality explicitly removed. In which case it is completely disabled.
My memory is that I found a page that indicated it was possible to
compile OpenSSL with that functionality removed. When I went to re-check
my facts before writing this email, I couldn't find anything to confirm
that.
I'll re-write that page to make clear that the behaviour is determined
by OpenSSL configuration and that with 3.0.x, support is disabled by
default.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org