Re: Anyway to enable just all TLS protocols in APR connector?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jeffrey,

On 10/17/14 1:12 PM, Jeffrey Janner wrote:
 Documentation for the APR connector says setting SSLProtocol=all 
 (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1
 and TLSv1.2 as well.

Why do you think that's the case?

 However, it only seems to accept SSLProtocol strings that includes
 TLSv1, SSLv2, SSLv3 or their combinations.

Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched;
expect new builds soon.

 In other words, there doesn't seem to be a way to specify that you 
 only want all 3 TLS versions and none of the SSL versions. Is
 there something I'm missing?

Nope.

 FYI: I checked Bugzilla on this, and there seems to be some work 
 progressing on coding support, but it also interjected a
 regression to turn SSLv2 back on by default.

This can happen in certain situations, like saying that you want
TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that
case, you get SSLv23 which I believe in OpenSSL means SSLv3 +
SSLv2Hello which is only as dangerous as SSLv3 right now.

 The question is, if there is no current magic string that Tomcat 
 will accept to enable full TLS support, is this something we will 
 have to wait for 7.0.57 (and the equivalent 6  8 versions) to be 
 able to address?

Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4oX1
hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwpousdYwar
/+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1rR4bg
s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY/
pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxMncpC
PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3jddky
kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw6
bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5Q
Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL5w
/OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjNc
e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmxw
PNSWuKf02X3tAJ7ZnDGY
=tLZz
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Anyway to enable just all TLS protocols in APR connector?

[Jeffrey Janner]

 -Original Message-
 From: Christopher Schultz [mailto:ch...@christopherschultz.net]
 Sent: Friday, October 17, 2014 12:26 PM
 To: Tomcat Users List
 Subject: Re: Anyway to enable just all TLS protocols in APR connector?
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Jeffrey,
 
 On 10/17/14 1:12 PM, Jeffrey Janner wrote:
  Documentation for the APR connector says setting SSLProtocol=all
  (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1
  and TLSv1.2 as well.
 
 Why do you think that's the case?

Qualys/SSLLabs reports it as such.  Using tomcat 7.0.50 and latest APR build.

 
  However, it only seems to accept SSLProtocol strings that includes
  TLSv1, SSLv2, SSLv3 or their combinations.
 
 Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched;
 expect new builds soon.
 
  In other words, there doesn't seem to be a way to specify that you
  only want all 3 TLS versions and none of the SSL versions. Is
  there something I'm missing?
 
 Nope.
 
  FYI: I checked Bugzilla on this, and there seems to be some work
  progressing on coding support, but it also interjected a
  regression to turn SSLv2 back on by default.
 
 This can happen in certain situations, like saying that you want
 TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that
 case, you get SSLv23 which I believe in OpenSSL means SSLv3 +
 SSLv2Hello which is only as dangerous as SSLv3 right now.

Actually, I was looking at the most recent patch code. It actually modified to 
definition of ALL to include SSLv2.
I pointed it out on Bugzilla, but thought I'd mention it here as well.

 
  The question is, if there is no current magic string that Tomcat
  will accept to enable full TLS support, is this something we will
  have to wait for 7.0.57 (and the equivalent 6  8 versions) to be
  able to address?
 
 Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well.
 
With baited breath, but not holding it.

 
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 
 iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4o
 X1
 hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwp
 ousdYwar
 /+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1r
 R4bg
 s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY
 /
 pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxM
 ncpC
 PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3j
 ddky
 kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw
 6
 bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5
 Q
 Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL
 5w
 /OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjN
 c
 e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmx
 w
 PNSWuKf02X3tAJ7ZnDGY
 =tLZz
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Anyway to enable just all TLS protocols in APR connector?

[Jeffrey Janner]

 -Original Message-
 From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
 Sent: Friday, October 17, 2014 3:04 PM
 To: 'Tomcat Users List'
 Subject: RE: Anyway to enable just all TLS protocols in APR connector?
 
  -Original Message-
  From: Christopher Schultz [mailto:ch...@christopherschultz.net]
  Sent: Friday, October 17, 2014 12:26 PM
  To: Tomcat Users List
  Subject: Re: Anyway to enable just all TLS protocols in APR connector?
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Jeffrey,
 
  On 10/17/14 1:12 PM, Jeffrey Janner wrote:
   Documentation for the APR connector says setting SSLProtocol=all
   (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1
   and TLSv1.2 as well.
 
  Why do you think that's the case?
 
 Qualys/SSLLabs reports it as such.  Using tomcat 7.0.50 and latest APR build.
 
 
   However, it only seems to accept SSLProtocol strings that includes
   TLSv1, SSLv2, SSLv3 or their combinations.
 
  Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched;
  expect new builds soon.
 
   In other words, there doesn't seem to be a way to specify that you
   only want all 3 TLS versions and none of the SSL versions. Is
   there something I'm missing?
 
  Nope.
 
   FYI: I checked Bugzilla on this, and there seems to be some work
   progressing on coding support, but it also interjected a
   regression to turn SSLv2 back on by default.
 
  This can happen in certain situations, like saying that you want
  TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that
  case, you get SSLv23 which I believe in OpenSSL means SSLv3 +
  SSLv2Hello which is only as dangerous as SSLv3 right now.
 
 Actually, I was looking at the most recent patch code. It actually modified to
 definition of ALL to include SSLv2.
 I pointed it out on Bugzilla, but thought I'd mention it here as well.
 

Chris, when I said most recent, I meant latest posted to the Bugzilla entry 
when I read it.
Just reviewed it again and see that's not the patch you guys are implementing.

 
   The question is, if there is no current magic string that Tomcat
   will accept to enable full TLS support, is this something we will
   have to wait for 7.0.57 (and the equivalent 6  8 versions) to be
   able to address?
 
  Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well.
 
 With baited breath, but not holding it.
 
 
  - -chris
  -BEGIN PGP SIGNATURE-
  Version: GnuPG v1
  Comment: GPGTools - http://gpgtools.org
 
 
 iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4o
  X1
 
 hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwp
  ousdYwar
 
 /+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1r
  R4bg
 
 s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY
  /
 
 pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxM
  ncpC
 
 PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3j
  ddky
 
 kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw
  6
 
 bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5
  Q
 
 Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL
  5w
 
 /OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjN
  c
 
 e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmx
  w
  PNSWuKf02X3tAJ7ZnDGY
  =tLZz
  -END PGP SIGNATURE-
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 B�KKK
 KCB��[��X��ܚX�KK[XZ[
 
 �\�\��][��X��ܚX�P�X�]
 �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[
 
 �\�\��Z[�X�]
 �\X�K�ܙ�B�

Re: Anyway to enable just all TLS protocols in APR connector?

[Bob Hall]

On Friday, October 17, 2014 1:05 PM, Jeffrey Janner 
jeffrey.jan...@polydyne.com wrote:




  With baited breath, but not holding it.

Should be bated breath.

- Bob

Re: Anyway to enable just all TLS protocols in APR connector?

[André Warnier]

Bob Hall wrote:

On Friday, October 17, 2014 1:05 PM, Jeffrey Janner 
jeffrey.jan...@polydyne.com wrote:





 With baited breath, but not holding it.


Should be bated breath.



But perhaps, dear Bob, Jeffrey meant exactly what he wrote.
Having posted to the list and expecting a response,
he rested with a glass of milk,
waiting for the Tomcat to pounce.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Anyway to enable just all TLS protocols in APR connector?

[Jeffrey Janner]

 -Original Message-
 From: André Warnier [mailto:a...@ice-sa.com]
 Sent: Friday, October 17, 2014 3:59 PM
 To: Tomcat Users List
 Subject: Re: Anyway to enable just all TLS protocols in APR connector?
 
 Bob Hall wrote:
  On Friday, October 17, 2014 1:05 PM, Jeffrey Janner
 jeffrey.jan...@polydyne.com wrote:
 
 
 
 
   With baited breath, but not holding it.
 
  Should be bated breath.
 
 
 But perhaps, dear Bob, Jeffrey meant exactly what he wrote.
 Having posted to the list and expecting a response,
 he rested with a glass of milk,
 waiting for the Tomcat to pounce.
 
 
I shall defer to those perhaps wiser than moi:
http://www.worldwidewords.org/qa/qa-bai1.htm

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Anyway to enable just all TLS protocols in APR connector?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jeffrey,

On 10/17/14 4:20 PM, Jeffrey Janner wrote:
 -Original Message- From: Jeffrey Janner
 [mailto:jeffrey.jan...@polydyne.com] Sent: Friday, October 17,
 2014 3:04 PM To: 'Tomcat Users List' Subject: RE: Anyway to
 enable just all TLS protocols in APR connector?
 
 -Original Message- From: Christopher Schultz
 [mailto:ch...@christopherschultz.net] Sent: Friday, October 17,
 2014 12:26 PM To: Tomcat Users List Subject: Re: Anyway to
 enable just all TLS protocols in APR connector?
 
 Jeffrey,
 
 On 10/17/14 1:12 PM, Jeffrey Janner wrote:
 Documentation for the APR connector says setting
 SSLProtocol=all (the default) enables TLSv1+SSLv3, but
 actually enables TLSv1.1 and TLSv1.2 as well.
 
 Why do you think that's the case?
 
 Qualys/SSLLabs reports it as such.  Using tomcat 7.0.50 and
 latest APR build.
 
 
 However, it only seems to accept SSLProtocol strings that
 includes TLSv1, SSLv2, SSLv3 or their combinations.
 
 Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are
 patched; expect new builds soon.
 
 In other words, there doesn't seem to be a way to specify
 that you only want all 3 TLS versions and none of the SSL
 versions. Is there something I'm missing?
 
 Nope.
 
 FYI: I checked Bugzilla on this, and there seems to be some
 work progressing on coding support, but it also interjected
 a regression to turn SSLv2 back on by default.
 
 This can happen in certain situations, like saying that you want 
 TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that 
 case, you get SSLv23 which I believe in OpenSSL means SSLv3 + 
 SSLv2Hello which is only as dangerous as SSLv3 right now.
 
 Actually, I was looking at the most recent patch code. It
 actually modified to definition of ALL to include SSLv2. I
 pointed it out on Bugzilla, but thought I'd mention it here as
 well.
 
 
 Chris, when I said most recent, I meant latest posted to the
 Bugzilla entry when I read it. Just reviewed it again and see
 that's not the patch you guys are implementing.

Can you check tcnative 1.1.x branch in subversion and Tomcat 7 or 8 in
subversion and let me know how they work for you (or don't)? No reason
to wait until there is an official build for testing.

 The question is, if there is no current magic string that
 Tomcat will accept to enable full TLS support, is this
 something we will have to wait for 7.0.57 (and the
 equivalent 6  8 versions) to be able to address?
 
 Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as
 well.
 
 With baited breath, but not holding it.

It should be coming soon. I think markt is going to single-handedly
tag+release 3 Tomcat versions plus tcnative on all platforms. ;)

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUQbsOAAoJEBzwKT+lPKRY29gQAJSfQVB6TsOE525cBujaq8y9
44YUPvjt5zruLiqfdQ7+vyRuEqXlpv7YbFS/wjsc88utmwX0zi/Fqm0NKPljoiV0
7PtIcqiNvOCrNW85aS1W7R9lg6ZkWnSvKrXRw/Dm4gb8X+FAuFOecg/kiWVW0qsj
nGr8+MBDVFvWcqwtFhuuQ4Y4Kz4sgaJez9AE1f9QGnYGqck3P7Q9zhJDUYI0lMGv
NDaG/MQ5B1ZsZR7iIui5MYclJUiTNPgMGX5Sixl23w//mXpAH6h80+Rn4rK5+PTi
SwmC2QVpSsed4pxQM1bQdtqg77mDfqMG1kGfeRGwRNQvMIi/q1FDk/rAfrV6wXKK
Ayf+/2ihPl1wuKiguNgCWgae1yceHoTIv4mQQtz5Jp6HDjElmw73cf7mEa0DhYp5
YKdANYoFip1fS0+YEbmKVEkFWCYeSgxml8Vlvlw4X52FOwWoP/FA7+kXxq1DLkqq
qK+gEFF+0CkF1DoGENn9sqUsjYfcmKowmDBfXMHCz6ETMIWgnS96HnDh9OS+IUmk
HNonOr3WLSTGlsYZLnO945IQe+KLxQ6SBxYphBK1uCwo7ds5MNgDrLvBntbBerWZ
NFbSuNmJb9Ky2i+YPQopM623zrVdmbinM/pmtZUZUfKMv8zKWX7jllinXoL5dqf5
I7PHb1LBweRF69cWqMtQ
=alzf
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org