Re: Tomcat 6 and Tomcat 7 enables different TLS protocols by default
On 8.3.2013 11:14, Ognjen Blagojevic wrote:
Hi,
As previously discussed on user list [1], HTTPS JSSE Connectors (both
BIO and NIO) have different behavior in Tomcat 6 and in Tomcat 7, in
terms of enabled TLS/SSL protocols.
(I repeat the parts from that thread here.)
Tomcat 6 will by default enable SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while
Tomcat 7 will enable SSLv3 and TLSv1. This is counter-intuitive and
might introduce problems when upgrading from Tomcat 6 to Tomcat 7.
Reason for this discrepancy is that in Tomcat 6 code, if (undocumented)
attribute protocols is omitted, method socket.setEnabledProtocols is
not being invoked (JSSESocketFactory, lines 700-702, in tc6.0.x/trunk):
protected void setEnabledProtocols(SSLServerSocket socket,
String []protocols){
if (protocols != null) {
socket.setEnabledProtocols(protocols);
}
}
Default on Oracle JDK 7 (1.7.0_15), when socket.setEnabledProtocols is
not invoked is to enable SSLv2Hello (pseudo protocol), SSLv3, TLSv1,
TLSv1.1, TLSv1.2.
In Tomcat 7, when (documented) attribute sslEnabledProtocols is omitted,
method socket.setEnabledProtocols will be invoked with default protocols
enabled (JSSESocketFactory linkes 679-681 and line 727, in tc7.0.x/trunk)
if ((requestedProtocols == null)
|| (requestedProtocols.length == 0)) {
return context.getDefaultSSLParameters().getProtocols();
}
...
socket.setEnabledProtocols(enabledProtocols);
Now, here is the catch. Oracle JDK 7 method
SSLContext.getDefaultSSLParameters().getProtocols() returns SSLv3, TLSv1
as default protocols, but if you create socket without ever calling
SSLServerSocket.setEnabledProtocols, than SSLv2Hello (pseudo protocol),
SSLv3, TLSv1, TLSv1.1, TLSv1.2 will be enabled.
This bizarre behavior from Oracle JDK 7 combined with slight difference
in Tomcat 6 and Tomcat 7 code results in different TLS/SSL protocols
being enabled by default.
What do you think, should we do anything about it? We could:
1. Patch Tomcat 6 trunk to call setEnabledProtocols always.
2. Patch Tomcat 7 trunk not to call setEnabledProtocols when protocols
are not specified.
3. Document the different behavior, and leave it as-is.
I prefer how Tomcat 6 is interpreting that attribute -- trying to enable
best possible TLS protocol versions available. That is what I would
expect as a Tomcat user.
-Ognjen
[1] http://www.mail-archive.com/users@tomcat.apache.org/msg104756.html
Bug report: https://issues.apache.org/bugzilla/show_bug.cgi?id=54690.
-Ognjen
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Tomcat 6 and Tomcat 7 enables different TLS protocols by default
Hi,
As previously discussed on user list [1], HTTPS JSSE Connectors (both
BIO and NIO) have different behavior in Tomcat 6 and in Tomcat 7, in
terms of enabled TLS/SSL protocols.
(I repeat the parts from that thread here.)
Tomcat 6 will by default enable SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while
Tomcat 7 will enable SSLv3 and TLSv1. This is counter-intuitive and
might introduce problems when upgrading from Tomcat 6 to Tomcat 7.
Reason for this discrepancy is that in Tomcat 6 code, if (undocumented)
attribute protocols is omitted, method socket.setEnabledProtocols is
not being invoked (JSSESocketFactory, lines 700-702, in tc6.0.x/trunk):
protected void setEnabledProtocols(SSLServerSocket socket,
String []protocols){
if (protocols != null) {
socket.setEnabledProtocols(protocols);
}
}
Default on Oracle JDK 7 (1.7.0_15), when socket.setEnabledProtocols is
not invoked is to enable SSLv2Hello (pseudo protocol), SSLv3, TLSv1,
TLSv1.1, TLSv1.2.
In Tomcat 7, when (documented) attribute sslEnabledProtocols is omitted,
method socket.setEnabledProtocols will be invoked with default protocols
enabled (JSSESocketFactory linkes 679-681 and line 727, in tc7.0.x/trunk)
if ((requestedProtocols == null)
|| (requestedProtocols.length == 0)) {
return context.getDefaultSSLParameters().getProtocols();
}
...
socket.setEnabledProtocols(enabledProtocols);
Now, here is the catch. Oracle JDK 7 method
SSLContext.getDefaultSSLParameters().getProtocols() returns SSLv3, TLSv1
as default protocols, but if you create socket without ever calling
SSLServerSocket.setEnabledProtocols, than SSLv2Hello (pseudo protocol),
SSLv3, TLSv1, TLSv1.1, TLSv1.2 will be enabled.
This bizarre behavior from Oracle JDK 7 combined with slight difference
in Tomcat 6 and Tomcat 7 code results in different TLS/SSL protocols
being enabled by default.
What do you think, should we do anything about it? We could:
1. Patch Tomcat 6 trunk to call setEnabledProtocols always.
2. Patch Tomcat 7 trunk not to call setEnabledProtocols when protocols
are not specified.
3. Document the different behavior, and leave it as-is.
I prefer how Tomcat 6 is interpreting that attribute -- trying to enable
best possible TLS protocol versions available. That is what I would
expect as a Tomcat user.
-Ognjen
[1] http://www.mail-archive.com/users@tomcat.apache.org/msg104756.html
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
