Re: Anyway to enable just all TLS protocols in APR connector?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 10/17/14 1:12 PM, Jeffrey Janner wrote: Documentation for the APR connector says setting SSLProtocol=all (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1 and TLSv1.2 as well. Why do you think that's the case? However, it only seems to accept SSLProtocol strings that includes TLSv1, SSLv2, SSLv3 or their combinations. Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched; expect new builds soon. In other words, there doesn't seem to be a way to specify that you only want all 3 TLS versions and none of the SSL versions. Is there something I'm missing? Nope. FYI: I checked Bugzilla on this, and there seems to be some work progressing on coding support, but it also interjected a regression to turn SSLv2 back on by default. This can happen in certain situations, like saying that you want TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that case, you get SSLv23 which I believe in OpenSSL means SSLv3 + SSLv2Hello which is only as dangerous as SSLv3 right now. The question is, if there is no current magic string that Tomcat will accept to enable full TLS support, is this something we will have to wait for 7.0.57 (and the equivalent 6 8 versions) to be able to address? Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4oX1 hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwpousdYwar /+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1rR4bg s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY/ pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxMncpC PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3jddky kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw6 bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5Q Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL5w /OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjNc e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmxw PNSWuKf02X3tAJ7ZnDGY =tLZz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Anyway to enable just all TLS protocols in APR connector?
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, October 17, 2014 12:26 PM To: Tomcat Users List Subject: Re: Anyway to enable just all TLS protocols in APR connector? -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 10/17/14 1:12 PM, Jeffrey Janner wrote: Documentation for the APR connector says setting SSLProtocol=all (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1 and TLSv1.2 as well. Why do you think that's the case? Qualys/SSLLabs reports it as such. Using tomcat 7.0.50 and latest APR build. However, it only seems to accept SSLProtocol strings that includes TLSv1, SSLv2, SSLv3 or their combinations. Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched; expect new builds soon. In other words, there doesn't seem to be a way to specify that you only want all 3 TLS versions and none of the SSL versions. Is there something I'm missing? Nope. FYI: I checked Bugzilla on this, and there seems to be some work progressing on coding support, but it also interjected a regression to turn SSLv2 back on by default. This can happen in certain situations, like saying that you want TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that case, you get SSLv23 which I believe in OpenSSL means SSLv3 + SSLv2Hello which is only as dangerous as SSLv3 right now. Actually, I was looking at the most recent patch code. It actually modified to definition of ALL to include SSLv2. I pointed it out on Bugzilla, but thought I'd mention it here as well. The question is, if there is no current magic string that Tomcat will accept to enable full TLS support, is this something we will have to wait for 7.0.57 (and the equivalent 6 8 versions) to be able to address? Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well. With baited breath, but not holding it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4o X1 hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwp ousdYwar /+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1r R4bg s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY / pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxM ncpC PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3j ddky kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw 6 bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5 Q Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL 5w /OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjN c e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmx w PNSWuKf02X3tAJ7ZnDGY =tLZz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Anyway to enable just all TLS protocols in APR connector?
-Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Friday, October 17, 2014 3:04 PM To: 'Tomcat Users List' Subject: RE: Anyway to enable just all TLS protocols in APR connector? -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, October 17, 2014 12:26 PM To: Tomcat Users List Subject: Re: Anyway to enable just all TLS protocols in APR connector? -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 10/17/14 1:12 PM, Jeffrey Janner wrote: Documentation for the APR connector says setting SSLProtocol=all (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1 and TLSv1.2 as well. Why do you think that's the case? Qualys/SSLLabs reports it as such. Using tomcat 7.0.50 and latest APR build. However, it only seems to accept SSLProtocol strings that includes TLSv1, SSLv2, SSLv3 or their combinations. Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched; expect new builds soon. In other words, there doesn't seem to be a way to specify that you only want all 3 TLS versions and none of the SSL versions. Is there something I'm missing? Nope. FYI: I checked Bugzilla on this, and there seems to be some work progressing on coding support, but it also interjected a regression to turn SSLv2 back on by default. This can happen in certain situations, like saying that you want TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that case, you get SSLv23 which I believe in OpenSSL means SSLv3 + SSLv2Hello which is only as dangerous as SSLv3 right now. Actually, I was looking at the most recent patch code. It actually modified to definition of ALL to include SSLv2. I pointed it out on Bugzilla, but thought I'd mention it here as well. Chris, when I said most recent, I meant latest posted to the Bugzilla entry when I read it. Just reviewed it again and see that's not the patch you guys are implementing. The question is, if there is no current magic string that Tomcat will accept to enable full TLS support, is this something we will have to wait for 7.0.57 (and the equivalent 6 8 versions) to be able to address? Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well. With baited breath, but not holding it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4o X1 hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwp ousdYwar /+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1r R4bg s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY / pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxM ncpC PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3j ddky kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw 6 bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5 Q Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL 5w /OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjN c e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmx w PNSWuKf02X3tAJ7ZnDGY =tLZz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org B�KKK KCB��[��X��ܚX�KK[XZ[ �\�\��][��X��ܚX�P�X�] �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[ �\�\��Z[�X�] �\X�K�ܙ�B�
Re: Anyway to enable just all TLS protocols in APR connector?
On Friday, October 17, 2014 1:05 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: With baited breath, but not holding it. Should be bated breath. - Bob
Re: Anyway to enable just all TLS protocols in APR connector?
Bob Hall wrote: On Friday, October 17, 2014 1:05 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: With baited breath, but not holding it. Should be bated breath. But perhaps, dear Bob, Jeffrey meant exactly what he wrote. Having posted to the list and expecting a response, he rested with a glass of milk, waiting for the Tomcat to pounce. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Anyway to enable just all TLS protocols in APR connector?
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, October 17, 2014 3:59 PM To: Tomcat Users List Subject: Re: Anyway to enable just all TLS protocols in APR connector? Bob Hall wrote: On Friday, October 17, 2014 1:05 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: With baited breath, but not holding it. Should be bated breath. But perhaps, dear Bob, Jeffrey meant exactly what he wrote. Having posted to the list and expecting a response, he rested with a glass of milk, waiting for the Tomcat to pounce. I shall defer to those perhaps wiser than moi: http://www.worldwidewords.org/qa/qa-bai1.htm - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Anyway to enable just all TLS protocols in APR connector?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 10/17/14 4:20 PM, Jeffrey Janner wrote: -Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Friday, October 17, 2014 3:04 PM To: 'Tomcat Users List' Subject: RE: Anyway to enable just all TLS protocols in APR connector? -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, October 17, 2014 12:26 PM To: Tomcat Users List Subject: Re: Anyway to enable just all TLS protocols in APR connector? Jeffrey, On 10/17/14 1:12 PM, Jeffrey Janner wrote: Documentation for the APR connector says setting SSLProtocol=all (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1 and TLSv1.2 as well. Why do you think that's the case? Qualys/SSLLabs reports it as such. Using tomcat 7.0.50 and latest APR build. However, it only seems to accept SSLProtocol strings that includes TLSv1, SSLv2, SSLv3 or their combinations. Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched; expect new builds soon. In other words, there doesn't seem to be a way to specify that you only want all 3 TLS versions and none of the SSL versions. Is there something I'm missing? Nope. FYI: I checked Bugzilla on this, and there seems to be some work progressing on coding support, but it also interjected a regression to turn SSLv2 back on by default. This can happen in certain situations, like saying that you want TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that case, you get SSLv23 which I believe in OpenSSL means SSLv3 + SSLv2Hello which is only as dangerous as SSLv3 right now. Actually, I was looking at the most recent patch code. It actually modified to definition of ALL to include SSLv2. I pointed it out on Bugzilla, but thought I'd mention it here as well. Chris, when I said most recent, I meant latest posted to the Bugzilla entry when I read it. Just reviewed it again and see that's not the patch you guys are implementing. Can you check tcnative 1.1.x branch in subversion and Tomcat 7 or 8 in subversion and let me know how they work for you (or don't)? No reason to wait until there is an official build for testing. The question is, if there is no current magic string that Tomcat will accept to enable full TLS support, is this something we will have to wait for 7.0.57 (and the equivalent 6 8 versions) to be able to address? Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well. With baited breath, but not holding it. It should be coming soon. I think markt is going to single-handedly tag+release 3 Tomcat versions plus tcnative on all platforms. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUQbsOAAoJEBzwKT+lPKRY29gQAJSfQVB6TsOE525cBujaq8y9 44YUPvjt5zruLiqfdQ7+vyRuEqXlpv7YbFS/wjsc88utmwX0zi/Fqm0NKPljoiV0 7PtIcqiNvOCrNW85aS1W7R9lg6ZkWnSvKrXRw/Dm4gb8X+FAuFOecg/kiWVW0qsj nGr8+MBDVFvWcqwtFhuuQ4Y4Kz4sgaJez9AE1f9QGnYGqck3P7Q9zhJDUYI0lMGv NDaG/MQ5B1ZsZR7iIui5MYclJUiTNPgMGX5Sixl23w//mXpAH6h80+Rn4rK5+PTi SwmC2QVpSsed4pxQM1bQdtqg77mDfqMG1kGfeRGwRNQvMIi/q1FDk/rAfrV6wXKK Ayf+/2ihPl1wuKiguNgCWgae1yceHoTIv4mQQtz5Jp6HDjElmw73cf7mEa0DhYp5 YKdANYoFip1fS0+YEbmKVEkFWCYeSgxml8Vlvlw4X52FOwWoP/FA7+kXxq1DLkqq qK+gEFF+0CkF1DoGENn9sqUsjYfcmKowmDBfXMHCz6ETMIWgnS96HnDh9OS+IUmk HNonOr3WLSTGlsYZLnO945IQe+KLxQ6SBxYphBK1uCwo7ds5MNgDrLvBntbBerWZ NFbSuNmJb9Ky2i+YPQopM623zrVdmbinM/pmtZUZUfKMv8zKWX7jllinXoL5dqf5 I7PHb1LBweRF69cWqMtQ =alzf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org