> -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Friday, October 17, 2014 12:26 PM > To: Tomcat Users List > Subject: Re: Anyway to enable just all TLS protocols in APR connector? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Jeffrey, > > On 10/17/14 1:12 PM, Jeffrey Janner wrote: > > Documentation for the APR connector says setting SSLProtocol="all" > > (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1 > > and TLSv1.2 as well. > > Why do you think that's the case?
Qualys/SSLLabs reports it as such. Using tomcat 7.0.50 and latest APR build. > > > However, it only seems to accept SSLProtocol strings that includes > > TLSv1, SSLv2, SSLv3 or their combinations. > > Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched; > expect new builds soon. > > > In other words, there doesn't seem to be a way to specify that you > > only want all 3 TLS versions and none of the SSL versions. Is > > there something I'm missing? > > Nope. > > > FYI: I checked Bugzilla on this, and there seems to be some work > > progressing on coding support, but it also interjected a > > regression to turn SSLv2 back on by default. > > This can happen in certain situations, like saying that you want > TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that > case, you get SSLv23 which I believe in OpenSSL means "SSLv3 + > SSLv2Hello" which is only as dangerous as SSLv3 right now. Actually, I was looking at the most recent patch code. It actually modified to definition of ALL to include SSLv2. I pointed it out on Bugzilla, but thought I'd mention it here as well. > > > The question is, if there is no current "magic string" that Tomcat > > will accept to enable full TLS support, is this something we will > > have to wait for 7.0.57 (and the equivalent 6 & 8 versions) to be > > able to address? > > Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well. With baited breath, but not holding it. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4o > X1 > hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwp > ousdYwar > /+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1r > R4bg > s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY > / > pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxM > ncpC > PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3j > ddky > kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw > 6 > bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5 > Q > Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL > 5w > /OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjN > c > e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmx > w > PNSWuKf02X3tAJ7ZnDGY > =tLZz > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
