Hi Christopher, (Apologies for top posting, I cannot find a way to switch to ">" quote for Outook)
Having an utility is interesting idea but it will not address the regular expression rules that OpenSSL support. For example, I was porting Mozilla's Server Side TLS ciphers [1] to our 7.0.62 the other day and at the end you have: "...:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" So after mapping all the explicit ones before, I had to go and look for rest of AES suites, then exclude the export suites, ignore the RC4s, etc, etc.I did it, kinda but it was pain in the neck and it is really not the same rule list. Can you point me to the code where 8 and the trunk deal with this? It is not really that big of a deal to not have it since once you set your list you don't touch it until the next security scare, but since it is security related, I thought it would benefit people to be able to have more flexibility on the cipher definitions and might be worth backporting. Regards, George [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, June 24, 2015 8:37 AM To: Tomcat Users List Subject: Re: useServerCipherSuitesOrder in 7.0.62 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 George, On 6/15/15 10:08 AM, George Stanchev wrote: > Is there any chance for the OpenSSL-style ciphers to be backported to > the 7 release line? I'm not sure. The biggest problem with the OpenSSL-style ciphers is maintaining the mapping, which might change with every release of Java and/or OpenSSL. Maintaining it in Tomcat's trunk and 8 is already double the work... adding Tomcat 7 is even more work. I think what might make sense is to wrap a command-line program around the trunk/8.0.x utility that does the mapping to build something like OpenSSL's "ciphers" command, but that dumps-out JSSE-style cipher suites . Then that could be used independently of any version of Tomcat for those versions that don't directly-support the openssl-style cipher suites configuration. What do you think? Another possibility would be to maintain the mapping somewhere other than code (where it currently is), and then share that mapping between the various versions, perhaps using svn external links. Then the maping gets updated in a single place and all supporting versions of Tomcat can pick it up. I'll defer to markt who mostly wrote the OpenSSL-JSSE bridge code to decide if that might work. - -chris > -----Original Message----- From: George Stanchev > [mailto:gstanc...@serena.com] Sent: Saturday, June 13, 2015 11:41 AM > To: Tomcat Users List Subject: RE: useServerCipherSuitesOrder in > 7.0.62 > > Thanks Konstantin, > > I apologize for the shortsightness. I guess I must have had a space in > the search dialog. Thanks for the answers! > > Cheers, > > George > > -----Original Message----- From: Konstantin Kolinko > [mailto:knst.koli...@gmail.com] Sent: Saturday, June 13, 2015 7:26 AM > To: Tomcat Users List Subject: Re: useServerCipherSuitesOrder in > 7.0.62 > > 2015-06-13 15:36 GMT+03:00 George Stanchev <gstanc...@serena.com>: >> Hi, >> >> I was looking at [1] and it looks the new attribute is available in >> 7.0.61 onwards as per Violeta's comment. However I cannot find this >> new attribute in the HTTP connector documentation [2] nor the >> changelog [3]. Can someone confirm or deny the availability of this >> attribute (useServerCipherSuitesOrder) in Tomcat 7.0.62. > > > #55988 [1] is mentioned in the changelog, twice (7.0.61, 7.0.60). > > "useServerCipherSuitesOrder" is mentioned in [2] (in "SSL Support > - BIO and NIO" section). > > Note that this feature requires running with Java 8. > > >> As a follow up question, I seem to remember that 8.0.latest supports >> OpenSSL-style list for the HTTP connector "ciphers" >> attribute. Does 7.0.62 also support this or it wasn't backported? > > > It was not backported. > > Relevant classes are in package > org.apache.tomcat.util.net.jsse.openssl: > > OpenSSLCipherConfigurationParser etc. > >> >> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 [2] >> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html [3] >> https://tomcat.apache.org/tomcat-7.0-doc/changelog.html > > Best regards, Konstantin Kolinko > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVisCdAAoJEBzwKT+lPKRYDlAP/iKygYxuv7ie4h2HG16FUu3H 3EJ/f3mAVfsG/Z+Kwd3nGuC44vFTyLENWoRp0fBM6+0Awooe1uryFbKnFKy4ooJ/ ciLEo7cobKZmpbaeRbOIqxOrdXw66Z2uSeGoZ5pDXvAR23AObiW22ccereFcK3KF n027QdKzpn9TWn4rK4DLxD3gjv5NzZzZFxVdX+tMp36VxJIii+r8q8QiQzB8nssW F3yYjPHFFo+hP038hK9Pbc5M5CQvvSiU76HrxLOhEIM0YLKvsuf6PKffYCgF63ip Vqg+ctY8JotBkCpsBZ7s+lVxP0MTnzDoP8bVJdUU2/xJO5p3dOz2jUd3LaCVPNoy K/rMqGO3PiXw0ip3fkSXxxQX1q/iR1N3sosjMqcq0kyiJKvjzu7wwNktF4asIeMj Xagj6oepH0yaHTuVBz8NLaynBOoKmxQmpL8CuBBLtxkzSxDisWroTcdlDrwE4zo5 gKPKofW6T7j21cTB2xWC/DrPWmE/7L7HvglLEPy7+mcSQtG1cGwG9VKRlb0kTrv9 Y95a7AbjWFbYSD6I9Ur7mom8ZQv1B1L1su05pMQYRqWKyOmKWjYhUS73c0AQsGKi ZEYH2aQ3v6/e7jUrEmmUxM8dBRvTjjOtTIKdX8uRSYSRWQkSGTfP4sJFRuARX476 asRVs+Uiyz2o9npMbaLj =D15s -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
