2015-04-21 23:56 GMT+03:00 <ma...@apache.org>: > Author: markt > Date: Tue Apr 21 20:56:14 2015 > New Revision: 1675198 > > URL: http://svn.apache.org/r1675198 > Log: > Document the protocols attribute for SSLHostConfig and align the > implementation with it. > > Modified: > tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java > tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java > tomcat/trunk/webapps/docs/config/http.xml >
(...) > Modified: tomcat/trunk/webapps/docs/config/http.xml > URL: > http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1675198&r1=1675197&r2=1675198&view=diff > ============================================================================== > --- tomcat/trunk/webapps/docs/config/http.xml (original) > +++ tomcat/trunk/webapps/docs/config/http.xml Tue Apr 21 20:56:14 2015 > @@ -1050,7 +1050,7 @@ > > <attributes> > > - <attribute name="hostName" required="true"> > + <attribute name="hostName" required="false"> > <p>The name of the SSL Host. This should either be the fully qualified > domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain > name (e.g. <code>*.apache.org</code>). If not specified, the default > value > @@ -1058,7 +1058,20 @@ > </attribute> > > <attribute name="protocols" required="false"> > - <p></p> > + <p>The names of the protocols to support when communicating with > clients. > + This should be a comma separated list of any combination of the > following: > + </p> > + <ul><li>SSLv2Hello</li><li>SSLv2</li><li>SSLv3</li><li>TLSv1</li> > + <li>TLSv1.1</li><li>TLSv1.2</li><li>all</li></ul> > + <p>Note that OpenSSL based secure connectors will always support > + <code>SSLv2Hello</code> regardless of whether or not it is included in > the > + value for this attribute.</p> > + <p>Note that <code>all</code> is an alias for > + <code>TLSv1,TLSv1.1,TLSv1.2</code>.</p> > + <p>Note that <code>SSLv2</code> and <code>SSLv3</code> are inherently > + unsafe.</p> > + <p>If not specified, the default value of <code>all</code> will be > + used.</p> > </attribute> As far as I remember from reading the source code, the above phrase "Note that OpenSSL based secure connectors will always support SSLv2Hello regardless of whether or not it is included in the value for this attribute." about "protocols" attribute is not true. I think that it works as following: 1) If "protocols" includes several protocols (like in "TLSv1,TLSv1.1,TLSv1.2") then OpenSSL configures a generic handshake method that supports SSLv2Hello. 2) If "protocols" includes only one protocol (e.g. "TLSv1" or "TLSv1.2"), it configures a handshake method for that specific protocol, and SSLv2Hello is not enabled. In our sslcontext.c of Tomcat-Native 1.1.x: The case of 1) uses ctx = SSL_CTX_new(SSLv23_server_method()); The case of 2) uses ctx = SSL_CTX_new(TLSv1_2_server_method()); ctx = SSL_CTX_new(TLSv1_1_server_method()); ctx = SSL_CTX_new(TLSv1_server_method()); etc. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
