-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeffrey,
On 10/17/14 4:20 PM, Jeffrey Janner wrote: >> -----Original Message----- From: Jeffrey Janner >> [mailto:jeffrey.jan...@polydyne.com] Sent: Friday, October 17, >> 2014 3:04 PM To: 'Tomcat Users List' Subject: RE: Anyway to >> enable just all TLS protocols in APR connector? >> >>> -----Original Message----- From: Christopher Schultz >>> [mailto:ch...@christopherschultz.net] Sent: Friday, October 17, >>> 2014 12:26 PM To: Tomcat Users List Subject: Re: Anyway to >>> enable just all TLS protocols in APR connector? >>> > Jeffrey, > > On 10/17/14 1:12 PM, Jeffrey Janner wrote: >>>>> Documentation for the APR connector says setting >>>>> SSLProtocol="all" (the default) enables TLSv1+SSLv3, but >>>>> actually enables TLSv1.1 and TLSv1.2 as well. > > Why do you think that's the case? >>> >>> Qualys/SSLLabs reports it as such. Using tomcat 7.0.50 and >>> latest APR build. >>> > >>>>> However, it only seems to accept SSLProtocol strings that >>>>> includes TLSv1, SSLv2, SSLv3 or their combinations. > > Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are > patched; expect new builds soon. > >>>>> In other words, there doesn't seem to be a way to specify >>>>> that you only want all 3 TLS versions and none of the SSL >>>>> versions. Is there something I'm missing? > > Nope. > >>>>> FYI: I checked Bugzilla on this, and there seems to be some >>>>> work progressing on coding support, but it also interjected >>>>> a regression to turn SSLv2 back on by default. > > This can happen in certain situations, like saying that you want > TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that > case, you get SSLv23 which I believe in OpenSSL means "SSLv3 + > SSLv2Hello" which is only as dangerous as SSLv3 right now. >>> >>> Actually, I was looking at the most recent patch code. It >>> actually modified to definition of ALL to include SSLv2. I >>> pointed it out on Bugzilla, but thought I'd mention it here as >>> well. >>> > >> Chris, when I said most recent, I meant latest posted to the >> Bugzilla entry when I read it. Just reviewed it again and see >> that's not the patch you guys are implementing. Can you check tcnative 1.1.x branch in subversion and Tomcat 7 or 8 in subversion and let me know how they work for you (or don't)? No reason to wait until there is an official build for testing. >>>>> The question is, if there is no current "magic string" that >>>>> Tomcat will accept to enable full TLS support, is this >>>>> something we will have to wait for 7.0.57 (and the >>>>> equivalent 6 & 8 versions) to be able to address? > > Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as > well. >>> >>> With baited breath, but not holding it. It should be coming soon. I think markt is going to single-handedly tag+release 3 Tomcat versions plus tcnative on all platforms. ;) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUQbsOAAoJEBzwKT+lPKRY29gQAJSfQVB6TsOE525cBujaq8y9 44YUPvjt5zruLiqfdQ7+vyRuEqXlpv7YbFS/wjsc88utmwX0zi/Fqm0NKPljoiV0 7PtIcqiNvOCrNW85aS1W7R9lg6ZkWnSvKrXRw/Dm4gb8X+FAuFOecg/kiWVW0qsj nGr8+MBDVFvWcqwtFhuuQ4Y4Kz4sgaJez9AE1f9QGnYGqck3P7Q9zhJDUYI0lMGv NDaG/MQ5B1ZsZR7iIui5MYclJUiTNPgMGX5Sixl23w//mXpAH6h80+Rn4rK5+PTi SwmC2QVpSsed4pxQM1bQdtqg77mDfqMG1kGfeRGwRNQvMIi/q1FDk/rAfrV6wXKK Ayf+/2ihPl1wuKiguNgCWgae1yceHoTIv4mQQtz5Jp6HDjElmw73cf7mEa0DhYp5 YKdANYoFip1fS0+YEbmKVEkFWCYeSgxml8Vlvlw4X52FOwWoP/FA7+kXxq1DLkqq qK+gEFF+0CkF1DoGENn9sqUsjYfcmKowmDBfXMHCz6ETMIWgnS96HnDh9OS+IUmk HNonOr3WLSTGlsYZLnO945IQe+KLxQ6SBxYphBK1uCwo7ds5MNgDrLvBntbBerWZ NFbSuNmJb9Ky2i+YPQopM623zrVdmbinM/pmtZUZUfKMv8zKWX7jllinXoL5dqf5 I7PHb1LBweRF69cWqMtQ =alzf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
