Re: Tomcat 6 and Tomcat 7 enables different TLS protocols by default
On 8.3.2013 11:14, Ognjen Blagojevic wrote: Hi, As previously discussed on user list [1], HTTPS JSSE Connectors (both BIO and NIO) have different behavior in Tomcat 6 and in Tomcat 7, in terms of enabled TLS/SSL protocols. (I repeat the parts from that thread here.) Tomcat 6 will by default enable SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7 will enable SSLv3 and TLSv1. This is counter-intuitive and might introduce problems when upgrading from Tomcat 6 to Tomcat 7. Reason for this discrepancy is that in Tomcat 6 code, if (undocumented) attribute protocols is omitted, method socket.setEnabledProtocols is not being invoked (JSSESocketFactory, lines 700-702, in tc6.0.x/trunk): protected void setEnabledProtocols(SSLServerSocket socket, String []protocols){ if (protocols != null) { socket.setEnabledProtocols(protocols); } } Default on Oracle JDK 7 (1.7.0_15), when socket.setEnabledProtocols is not invoked is to enable SSLv2Hello (pseudo protocol), SSLv3, TLSv1, TLSv1.1, TLSv1.2. In Tomcat 7, when (documented) attribute sslEnabledProtocols is omitted, method socket.setEnabledProtocols will be invoked with default protocols enabled (JSSESocketFactory linkes 679-681 and line 727, in tc7.0.x/trunk) if ((requestedProtocols == null) || (requestedProtocols.length == 0)) { return context.getDefaultSSLParameters().getProtocols(); } ... socket.setEnabledProtocols(enabledProtocols); Now, here is the catch. Oracle JDK 7 method SSLContext.getDefaultSSLParameters().getProtocols() returns SSLv3, TLSv1 as default protocols, but if you create socket without ever calling SSLServerSocket.setEnabledProtocols, than SSLv2Hello (pseudo protocol), SSLv3, TLSv1, TLSv1.1, TLSv1.2 will be enabled. This bizarre behavior from Oracle JDK 7 combined with slight difference in Tomcat 6 and Tomcat 7 code results in different TLS/SSL protocols being enabled by default. What do you think, should we do anything about it? We could: 1. Patch Tomcat 6 trunk to call setEnabledProtocols always. 2. Patch Tomcat 7 trunk not to call setEnabledProtocols when protocols are not specified. 3. Document the different behavior, and leave it as-is. I prefer how Tomcat 6 is interpreting that attribute -- trying to enable best possible TLS protocol versions available. That is what I would expect as a Tomcat user. -Ognjen [1] http://www.mail-archive.com/users@tomcat.apache.org/msg104756.html Bug report: https://issues.apache.org/bugzilla/show_bug.cgi?id=54690. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Tomcat 6 and Tomcat 7 enables different TLS protocols by default
Hi, As previously discussed on user list [1], HTTPS JSSE Connectors (both BIO and NIO) have different behavior in Tomcat 6 and in Tomcat 7, in terms of enabled TLS/SSL protocols. (I repeat the parts from that thread here.) Tomcat 6 will by default enable SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7 will enable SSLv3 and TLSv1. This is counter-intuitive and might introduce problems when upgrading from Tomcat 6 to Tomcat 7. Reason for this discrepancy is that in Tomcat 6 code, if (undocumented) attribute protocols is omitted, method socket.setEnabledProtocols is not being invoked (JSSESocketFactory, lines 700-702, in tc6.0.x/trunk): protected void setEnabledProtocols(SSLServerSocket socket, String []protocols){ if (protocols != null) { socket.setEnabledProtocols(protocols); } } Default on Oracle JDK 7 (1.7.0_15), when socket.setEnabledProtocols is not invoked is to enable SSLv2Hello (pseudo protocol), SSLv3, TLSv1, TLSv1.1, TLSv1.2. In Tomcat 7, when (documented) attribute sslEnabledProtocols is omitted, method socket.setEnabledProtocols will be invoked with default protocols enabled (JSSESocketFactory linkes 679-681 and line 727, in tc7.0.x/trunk) if ((requestedProtocols == null) || (requestedProtocols.length == 0)) { return context.getDefaultSSLParameters().getProtocols(); } ... socket.setEnabledProtocols(enabledProtocols); Now, here is the catch. Oracle JDK 7 method SSLContext.getDefaultSSLParameters().getProtocols() returns SSLv3, TLSv1 as default protocols, but if you create socket without ever calling SSLServerSocket.setEnabledProtocols, than SSLv2Hello (pseudo protocol), SSLv3, TLSv1, TLSv1.1, TLSv1.2 will be enabled. This bizarre behavior from Oracle JDK 7 combined with slight difference in Tomcat 6 and Tomcat 7 code results in different TLS/SSL protocols being enabled by default. What do you think, should we do anything about it? We could: 1. Patch Tomcat 6 trunk to call setEnabledProtocols always. 2. Patch Tomcat 7 trunk not to call setEnabledProtocols when protocols are not specified. 3. Document the different behavior, and leave it as-is. I prefer how Tomcat 6 is interpreting that attribute -- trying to enable best possible TLS protocol versions available. That is what I would expect as a Tomcat user. -Ognjen [1] http://www.mail-archive.com/users@tomcat.apache.org/msg104756.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org