On 06/05/2015 13:41, Mark Thomas wrote: > On 06/05/2015 02:24, Konstantin Kolinko wrote: >> 2015-04-21 23:56 GMT+03:00 <ma...@apache.org>: >>> Author: markt >>> Date: Tue Apr 21 20:56:14 2015 >>> New Revision: 1675198 >>> >>> URL: http://svn.apache.org/r1675198 >>> Log: >>> Document the protocols attribute for SSLHostConfig and align the >>> implementation with it. >>> >>> Modified: >>> tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java >>> tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java >>> tomcat/trunk/webapps/docs/config/http.xml >>> >> >> (...) >> >>> Modified: tomcat/trunk/webapps/docs/config/http.xml >>> URL: >>> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1675198&r1=1675197&r2=1675198&view=diff >>> ============================================================================== >>> --- tomcat/trunk/webapps/docs/config/http.xml (original) >>> +++ tomcat/trunk/webapps/docs/config/http.xml Tue Apr 21 20:56:14 2015 >>> @@ -1050,7 +1050,7 @@ >>> >>> <attributes> >>> >>> - <attribute name="hostName" required="true"> >>> + <attribute name="hostName" required="false"> >>> <p>The name of the SSL Host. This should either be the fully >>> qualified >>> domain name (e.g. <code>tomcat.apache.org</code>) or a wild card >>> domain >>> name (e.g. <code>*.apache.org</code>). If not specified, the default >>> value >>> @@ -1058,7 +1058,20 @@ >>> </attribute> >>> >>> <attribute name="protocols" required="false"> >>> - <p></p> >>> + <p>The names of the protocols to support when communicating with >>> clients. >>> + This should be a comma separated list of any combination of the >>> following: >>> + </p> >>> + <ul><li>SSLv2Hello</li><li>SSLv2</li><li>SSLv3</li><li>TLSv1</li> >>> + <li>TLSv1.1</li><li>TLSv1.2</li><li>all</li></ul> >>> + <p>Note that OpenSSL based secure connectors will always support >>> + <code>SSLv2Hello</code> regardless of whether or not it is included >>> in the >>> + value for this attribute.</p> >>> + <p>Note that <code>all</code> is an alias for >>> + <code>TLSv1,TLSv1.1,TLSv1.2</code>.</p> >>> + <p>Note that <code>SSLv2</code> and <code>SSLv3</code> are inherently >>> + unsafe.</p> >>> + <p>If not specified, the default value of <code>all</code> will be >>> + used.</p> >>> </attribute> >> >> >> >> >> As far as I remember from reading the source code, the above phrase >> "Note that OpenSSL based secure connectors will always support >> SSLv2Hello regardless of whether or not it is included in the value >> for this attribute." about "protocols" attribute is not true. >> >> >> I think that it works as following: >> >> 1) If "protocols" includes several protocols (like in >> "TLSv1,TLSv1.1,TLSv1.2") then OpenSSL configures a generic handshake >> method that supports SSLv2Hello. >> >> 2) If "protocols" includes only one protocol (e.g. "TLSv1" or >> "TLSv1.2"), it configures a handshake method for that specific >> protocol, and SSLv2Hello is not enabled. >> >> In our sslcontext.c of Tomcat-Native 1.1.x: >> >> The case of 1) uses >> ctx = SSL_CTX_new(SSLv23_server_method()); >> >> The case of 2) uses >> ctx = SSL_CTX_new(TLSv1_2_server_method()); >> ctx = SSL_CTX_new(TLSv1_1_server_method()); >> ctx = SSL_CTX_new(TLSv1_server_method()); >> etc. > > Interesting. I should be able to change things so both JSSE and OpenSSL > based connectors work the same way. I'll take a look.
Maybe not then. I'll work on some better language for the docs. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
