On 24/06/2015 16:55, Christopher Schultz wrote: > There are some related files (like Cipher.java), but start in that > class right there. I think a simple driver class could take an > OpenSSL-style cipher string and dump-out the JSSE-compatible > (expanded) cipher suites string.
The key mapping information is held in the Cipher enumeration. There should be an entry for each known Cipher, excluding a few there aren't implemented (and are unlikely to be implemented) in OpenSSL or JSSE. The tricky part isn't porting the mapping but the unit tests since they depend on which ciphers are enabled in the JRE and the unit tests for older Tomcat versions run on older JREs with fewer ciphers. We could just skip porting the unit tests. Mark > > -chris > > >> Regards, George > >> [1] >> https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compati > bility_.28default.29 > > > > -----Original Message----- From: Christopher Schultz >> [mailto:ch...@christopherschultz.net] Sent: Wednesday, June 24, >> 2015 8:37 AM To: Tomcat Users List Subject: Re: >> useServerCipherSuitesOrder in 7.0.62 > >> George, > >> On 6/15/15 10:08 AM, George Stanchev wrote: >>> Is there any chance for the OpenSSL-style ciphers to be >>> backported to the 7 release line? > >> I'm not sure. The biggest problem with the OpenSSL-style ciphers >> is maintaining the mapping, which might change with every release >> of Java and/or OpenSSL. Maintaining it in Tomcat's trunk and 8 is >> already double the work... adding Tomcat 7 is even more work. > >> I think what might make sense is to wrap a command-line program >> around the trunk/8.0.x utility that does the mapping to build >> something like OpenSSL's "ciphers" command, but that dumps-out >> JSSE-style cipher suites . > >> Then that could be used independently of any version of Tomcat for >> those versions that don't directly-support the openssl-style >> cipher suites configuration. > >> What do you think? > >> Another possibility would be to maintain the mapping somewhere >> other than code (where it currently is), and then share that >> mapping between the various versions, perhaps using svn external >> links. Then the maping gets updated in a single place and all >> supporting versions of Tomcat can pick it up. > >> I'll defer to markt who mostly wrote the OpenSSL-JSSE bridge code >> to decide if that might work. > >> -chris > >>> -----Original Message----- From: George Stanchev >>> [mailto:gstanc...@serena.com] Sent: Saturday, June 13, 2015 >>> 11:41 AM To: Tomcat Users List Subject: RE: >>> useServerCipherSuitesOrder in 7.0.62 > >>> Thanks Konstantin, > >>> I apologize for the shortsightness. I guess I must have had a >>> space in the search dialog. Thanks for the answers! > >>> Cheers, > >>> George > >>> -----Original Message----- From: Konstantin Kolinko >>> [mailto:knst.koli...@gmail.com] Sent: Saturday, June 13, 2015 >>> 7:26 AM To: Tomcat Users List Subject: Re: >>> useServerCipherSuitesOrder in 7.0.62 > >>> 2015-06-13 15:36 GMT+03:00 George Stanchev >>> <gstanc...@serena.com>: >>>> Hi, >>>> >>>> I was looking at [1] and it looks the new attribute is >>>> available in 7.0.61 onwards as per Violeta's comment. However I >>>> cannot find this new attribute in the HTTP connector >>>> documentation [2] nor the changelog [3]. Can someone confirm or >>>> deny the availability of this attribute >>>> (useServerCipherSuitesOrder) in Tomcat 7.0.62. > > >>> #55988 [1] is mentioned in the changelog, twice (7.0.61, >>> 7.0.60). > >>> "useServerCipherSuitesOrder" is mentioned in [2] (in "SSL Support >>> - BIO and NIO" section). > >>> Note that this feature requires running with Java 8. > > >>>> As a follow up question, I seem to remember that 8.0.latest >>>> supports OpenSSL-style list for the HTTP connector "ciphers" >>>> attribute. Does 7.0.62 also support this or it wasn't >>>> backported? > > >>> It was not backported. > >>> Relevant classes are in package >>> org.apache.tomcat.util.net.jsse.openssl: > >>> OpenSSLCipherConfigurationParser etc. > >>>> >>>> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 [2] >>>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html [3] >>>> https://tomcat.apache.org/tomcat-7.0-doc/changelog.html > >>> Best regards, Konstantin Kolinko > >>> --------------------------------------------------------------------- > >>> >>> > > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > >>> --------------------------------------------------------------------- > >>> >>> > > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
