On 06/05/2015 02:24, Konstantin Kolinko wrote: > 2015-04-21 23:56 GMT+03:00 <ma...@apache.org>: >> Author: markt >> Date: Tue Apr 21 20:56:14 2015 >> New Revision: 1675198 >> >> URL: http://svn.apache.org/r1675198 >> Log: >> Document the protocols attribute for SSLHostConfig and align the >> implementation with it. >> >> Modified: >> tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java >> tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java >> tomcat/trunk/webapps/docs/config/http.xml >> > > (...) > >> Modified: tomcat/trunk/webapps/docs/config/http.xml >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1675198&r1=1675197&r2=1675198&view=diff >> ============================================================================== >> --- tomcat/trunk/webapps/docs/config/http.xml (original) >> +++ tomcat/trunk/webapps/docs/config/http.xml Tue Apr 21 20:56:14 2015 >> @@ -1050,7 +1050,7 @@ >> >> <attributes> >> >> - <attribute name="hostName" required="true"> >> + <attribute name="hostName" required="false"> >> <p>The name of the SSL Host. This should either be the fully qualified >> domain name (e.g. <code>tomcat.apache.org</code>) or a wild card >> domain >> name (e.g. <code>*.apache.org</code>). If not specified, the default >> value >> @@ -1058,7 +1058,20 @@ >> </attribute> >> >> <attribute name="protocols" required="false"> >> - <p></p> >> + <p>The names of the protocols to support when communicating with >> clients. >> + This should be a comma separated list of any combination of the >> following: >> + </p> >> + <ul><li>SSLv2Hello</li><li>SSLv2</li><li>SSLv3</li><li>TLSv1</li> >> + <li>TLSv1.1</li><li>TLSv1.2</li><li>all</li></ul> >> + <p>Note that OpenSSL based secure connectors will always support >> + <code>SSLv2Hello</code> regardless of whether or not it is included >> in the >> + value for this attribute.</p> >> + <p>Note that <code>all</code> is an alias for >> + <code>TLSv1,TLSv1.1,TLSv1.2</code>.</p> >> + <p>Note that <code>SSLv2</code> and <code>SSLv3</code> are inherently >> + unsafe.</p> >> + <p>If not specified, the default value of <code>all</code> will be >> + used.</p> >> </attribute> > > > > > As far as I remember from reading the source code, the above phrase > "Note that OpenSSL based secure connectors will always support > SSLv2Hello regardless of whether or not it is included in the value > for this attribute." about "protocols" attribute is not true. > > > I think that it works as following: > > 1) If "protocols" includes several protocols (like in > "TLSv1,TLSv1.1,TLSv1.2") then OpenSSL configures a generic handshake > method that supports SSLv2Hello. > > 2) If "protocols" includes only one protocol (e.g. "TLSv1" or > "TLSv1.2"), it configures a handshake method for that specific > protocol, and SSLv2Hello is not enabled. > > In our sslcontext.c of Tomcat-Native 1.1.x: > > The case of 1) uses > ctx = SSL_CTX_new(SSLv23_server_method()); > > The case of 2) uses > ctx = SSL_CTX_new(TLSv1_2_server_method()); > ctx = SSL_CTX_new(TLSv1_1_server_method()); > ctx = SSL_CTX_new(TLSv1_server_method()); > etc.
Interesting. I should be able to change things so both JSSE and OpenSSL based connectors work the same way. I'll take a look. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
