RE: Anyway to enable just all TLS protocols in APR connector?

Fri, 17 Oct 2014 13:21:08 -0700 

> -----Original Message-----
> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
> Sent: Friday, October 17, 2014 3:04 PM
> To: 'Tomcat Users List'
> Subject: RE: Anyway to enable just all TLS protocols in APR connector?
> 
> > -----Original Message-----
> > From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> > Sent: Friday, October 17, 2014 12:26 PM
> > To: Tomcat Users List
> > Subject: Re: Anyway to enable just all TLS protocols in APR connector?
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Jeffrey,
> >
> > On 10/17/14 1:12 PM, Jeffrey Janner wrote:
> > > Documentation for the APR connector says setting SSLProtocol="all"
> > > (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1
> > > and TLSv1.2 as well.
> >
> > Why do you think that's the case?
> 
> Qualys/SSLLabs reports it as such.  Using tomcat 7.0.50 and latest APR build.
> 
> >
> > > However, it only seems to accept SSLProtocol strings that includes
> > > TLSv1, SSLv2, SSLv3 or their combinations.
> >
> > Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched;
> > expect new builds soon.
> >
> > > In other words, there doesn't seem to be a way to specify that you
> > > only want all 3 TLS versions and none of the SSL versions. Is
> > > there something I'm missing?
> >
> > Nope.
> >
> > > FYI: I checked Bugzilla on this, and there seems to be some work
> > > progressing on coding support, but it also interjected a
> > > regression to turn SSLv2 back on by default.
> >
> > This can happen in certain situations, like saying that you want
> > TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that
> > case, you get SSLv23 which I believe in OpenSSL means "SSLv3 +
> > SSLv2Hello" which is only as dangerous as SSLv3 right now.
> 
> Actually, I was looking at the most recent patch code. It actually modified to
> definition of ALL to include SSLv2.
> I pointed it out on Bugzilla, but thought I'd mention it here as well.
> 

Chris, when I said most recent, I meant latest posted to the Bugzilla entry 
when I read it.
Just reviewed it again and see that's not the patch you guys are implementing.

> >
> > > The question is, if there is no current "magic string" that Tomcat
> > > will accept to enable full TLS support, is this something we will
> > > have to wait for 7.0.57 (and the equivalent 6 & 8 versions) to be
> > > able to address?
> >
> > Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well.
> 
> With baited breath, but not holding it.
> 
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> >
> >
> iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4o
> > X1
> >
> hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwp
> > ousdYwar
> >
> /+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1r
> > R4bg
> >
> s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY
> > /
> >
> pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxM
> > ncpC
> >
> PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3j
> > ddky
> >
> kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw
> > 6
> >
> bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5
> > Q
> >
> Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL
> > 5w
> >
> /OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjN
> > c
> >
> e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmx
> > w
> > PNSWuKf02X3tAJ7ZnDGY
> > =tLZz
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> KKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[
> 
> �\�\��][��X��ܚX�P�X�]
> �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[
> 
> �\�\��Z[�X�]
> �\X�K�ܙ�B�

Reply via email to