https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
--- Comment #5 from Konstantin Kolinko <knst.koli...@gmail.com> 2011-07-19 23:43:25 UTC --- Created attachment 27300 --> https://issues.apache.org/bugzilla/attachment.cgi?id=27300 Drop SSLv2 support in native examples To apply the patch one has to remove those "a/jni" and "b/jni" prefixes that do not match the svn source layout. There were changes in sslcontext.c recently, so the patch does not apply cleanly anymore. Anyway, 1) tc-native is still used on old systems, like Tomcat 5.5, and thus I don't feel comfortable removing this feature. Maybe consider this for trunk of tc-native or postpone until native 1.2 is more near? Maybe make this code conditional using some #define, e.g. OpenSSL version? 2) +1 to disable it by default in java code in Tomcat The patch also updates tc-native examples. I am attaching a part of Damien Raude-Morvan's patch that modifies the examples, against 1.1.x branch of tomcat/native. Regarding the examples: * examples/org/apache/tomcat/jni/SSLServer.java: OK for the change * examples/org/apache/tomcat/jni/SSL.properties: -1: First, if I understand the old value correctly, it enables "ALL" ciphers, then shifts SSLv2 to the end of the list by priority. Removing SSLv2 moves it to the front of the list and that is wrong. To disable it, one can write !SSLv2 Second, the old value matches whatever default is in Apache HTTPD 2.2, see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite Apache HTTPD 2.3 docs say that default depends on OpenSSL version, without providing further specifics. I do not see the value in the code - I think it comes from OpenSSL. OpenSSL docs say that the default value is DEFAULT and it is determined at compile time. http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS Apparently for OpenSSL 1.0.0 the correct value to be used as default will be literally "DEFAULT". The above mentioned OpenSSL docs say that for 1.0.0 the default value is normally "ALL:!aNULL:!eNULL". This is not true for the copy of OpenSSL 1.0.0d that I have. The command to list ciphers, "openssl ciphers -v <cipherslist>" does not list SSLv2 ciphers for DEFAULT, but does mention one SSLv2 cipher for "ALL:!aNULL:!eNULL". -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
