You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Michael Orr <mi...@gmail.com> on 2017/01/17 11:23:15 UTC
Ability to set cipher suites for websocket connections
Hi,
There is a user property "org.apache.tomcat.websocket.SSL_PROTOCOLS"
that you can use to provide the list of permitted SSL protocols when
connecting to a websocket with WsWebSocketContainer. I was expecting
that there would be a similar property to allow you to set the list of
permitted SSL cipher suites as well.
I've checked the code (for version 7.0.73, and also 9.0.0.M15) and
there doesn't seem to be any mention of such an option. I can see it
calling SSLEngine.setEnabledProtocols() but not
SSLEngine.setEnabledCipherSuites().
Is there a particular reason why there is no
"org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is it
simply an oversight?
Thanks, and keep up the great work!
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Ability to set cipher suites for websocket connections
Posted by Michael Orr <mi...@gmail.com>.
On 17 January 2017 at 13:39, Mark Thomas <ma...@apache.org> wrote:
> On 17/01/2017 11:23, Michael Orr wrote:
>> Hi,
>>
>> There is a user property "org.apache.tomcat.websocket.SSL_PROTOCOLS"
>> that you can use to provide the list of permitted SSL protocols when
>> connecting to a websocket with WsWebSocketContainer. I was expecting
>> that there would be a similar property to allow you to set the list of
>> permitted SSL cipher suites as well.
>>
>> I've checked the code (for version 7.0.73, and also 9.0.0.M15) and
>> there doesn't seem to be any mention of such an option. I can see it
>> calling SSLEngine.setEnabledProtocols() but not
>> SSLEngine.setEnabledCipherSuites().
>>
>> Is there a particular reason why there is no
>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is it
>> simply an oversight?
>
> No reason I can think of. Patches welcome :)
>
> Mark
>
>>
>> Thanks, and keep up the great work!
>>
>> Michael
>>
I'll see what I can do!
Thanks for your fast response.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Ability to set cipher suites for websocket connections
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 1/17/17 2:53 PM, Mark Thomas wrote:
> On 17/01/2017 19:32, Christopher Schultz wrote:
>> Mark,
>>
>> On 1/17/17 8:39 AM, Mark Thomas wrote:
>>> On 17/01/2017 11:23, Michael Orr wrote:
>>>> Hi,
>>>>
>>>> There is a user property
>>>> "org.apache.tomcat.websocket.SSL_PROTOCOLS" that you can use
>>>> to provide the list of permitted SSL protocols when
>>>> connecting to a websocket with WsWebSocketContainer. I was
>>>> expecting that there would be a similar property to allow you
>>>> to set the list of permitted SSL cipher suites as well.
>>>>
>>>> I've checked the code (for version 7.0.73, and also
>>>> 9.0.0.M15) and there doesn't seem to be any mention of such
>>>> an option. I can see it calling
>>>> SSLEngine.setEnabledProtocols() but not
>>>> SSLEngine.setEnabledCipherSuites().
>>>>
>>>> Is there a particular reason why there is no
>>>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or
>>>> is it simply an oversight?
>>
>>> No reason I can think of. Patches welcome :)
>>
>> I'm curious: since the existing <Connector> (possibly) contains a
>> TLS configuration, why does Websocket specifically require a
>> separate configuration?
>
> This is for the WebSocket client, not the server.
Hah... of course. *duh*
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYfp9xAAoJEBzwKT+lPKRYXtUP/2nXCnYzF48W3aHwf6ZWKdoR
b29zH1GEB7gQH8HB9DbfkKKThJJVjPfOcRdXK5W9Yjg98ay2d6JWuQbgi1zT8sGa
0mr4QBMYluQ7PhUhkWvJtC83ZvaI6jgcI9dsmdjt3hn09FgKS987RO/RBuwoyLLF
z3HTCAfSQRlhTS0I7n4cbYIyqhFxTYk2OCp2og8qrqHo+I9zlkuAe39Fuz3QIXUi
WaxCO9PFKWmCVqyo91/lqtUxObs1Svs6BMVpVnKBObLRRxOL73qVdoKEkLORVsQg
AUdaEZTyQGUGONXNZNzKR6rmGY8wytzzl6ZJpSIg1YZMjRj/DSI+xp0X25bFIyMF
Uh5R367lYnKJUcJ6JuWGvi1lw+JwyeL5+WDgac4BuA7ZPZ01XN3NNWOst2yHkPoL
N0njcvIlOEXS4UHzpdBRcNlnmPYcC271ED8qT4RbnYA067ZPXaLvcvOS4OgCmlkD
LeTsGekVPNswP7P71A2JTFfqxtUcLv3SAV2F3ORbL+FHWAeL+/UAeVBKK/S2UCNu
mlqVAEUo5mGLzU/0UsAglHyq+h5BDpxMHDO8ck74MeotDTwEtKle2fJaEe6O/X7F
wFPFSFW8G9kYtzMv0p9DvREu5+rc8RIUwf7dzpFYJYb20rlECaAAKV4zOXv8BPQt
ZijQj1hGK4wQTaQEXUxT
=kJo4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Ability to set cipher suites for websocket connections
Posted by Mark Thomas <ma...@apache.org>.
On 17/01/2017 19:32, Christopher Schultz wrote:
> Mark,
>
> On 1/17/17 8:39 AM, Mark Thomas wrote:
>> On 17/01/2017 11:23, Michael Orr wrote:
>>> Hi,
>>>
>>> There is a user property
>>> "org.apache.tomcat.websocket.SSL_PROTOCOLS" that you can use to
>>> provide the list of permitted SSL protocols when connecting to a
>>> websocket with WsWebSocketContainer. I was expecting that there
>>> would be a similar property to allow you to set the list of
>>> permitted SSL cipher suites as well.
>>>
>>> I've checked the code (for version 7.0.73, and also 9.0.0.M15)
>>> and there doesn't seem to be any mention of such an option. I
>>> can see it calling SSLEngine.setEnabledProtocols() but not
>>> SSLEngine.setEnabledCipherSuites().
>>>
>>> Is there a particular reason why there is no
>>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is
>>> it simply an oversight?
>
>> No reason I can think of. Patches welcome :)
>
> I'm curious: since the existing <Connector> (possibly) contains a TLS
> configuration, why does Websocket specifically require a separate
> configuration?
This is for the WebSocket client, not the server.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Ability to set cipher suites for websocket connections
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 1/17/17 8:39 AM, Mark Thomas wrote:
> On 17/01/2017 11:23, Michael Orr wrote:
>> Hi,
>>
>> There is a user property
>> "org.apache.tomcat.websocket.SSL_PROTOCOLS" that you can use to
>> provide the list of permitted SSL protocols when connecting to a
>> websocket with WsWebSocketContainer. I was expecting that there
>> would be a similar property to allow you to set the list of
>> permitted SSL cipher suites as well.
>>
>> I've checked the code (for version 7.0.73, and also 9.0.0.M15)
>> and there doesn't seem to be any mention of such an option. I
>> can see it calling SSLEngine.setEnabledProtocols() but not
>> SSLEngine.setEnabledCipherSuites().
>>
>> Is there a particular reason why there is no
>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is
>> it simply an oversight?
>
> No reason I can think of. Patches welcome :)
I'm curious: since the existing <Connector> (possibly) contains a TLS
configuration, why does Websocket specifically require a separate
configuration?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIbBAEBCAAGBQJYfnE3AAoJEBzwKT+lPKRYwpoP+OgM+lcIrhZ8AO6Vxyx9CliL
GzwiFbgPgnCfpTnsLIT+0ZU+xQ2zg1RcCVOlKMTTRWRClioUf4+oDqGCm0BY2jAi
uAAAaDp1MXj4rNLb8sStJJmvQW0x3Mm6z4X8Pn9EZ1uR+9s21dHCpkbpxcKOu6z2
ZHNvQOwjgB0mpbj1/q9otfJx/sKZlozwOh4LJ7/vrask+vmRjsFK1rN0vjAXgo79
PLLsHWbXYHFKLKpMwEQnZ44LvtEl4FrYFZalN/R8FYMIOSBEx7MUxPOdq62U5w3p
O0Xelq0ijqT2pkrh4150Jt0Ff+3pkuUqL/MsXW+Gwfh6l/OdrQWN/ppEihy7VAbw
ytrv3V1lP3tewr8VJBWAfuz9wp+1bOmoRFDzsUrrsH4SPj0jrs0DTBBa8832dZa0
EWBlcU1qmr+QMzT4NjOSIg8JDzb13fB/ZxUWi3TldKTMaHggXvY0fxU098McDt+x
pOhCd0l6jHy0Z1H2+2Xlc7wroXwVYqdJjDFV6+MCiEhA2PNN6MQoVcHJffmvcsYW
84kKMIY9+IXGs8z6N/71v+3TB4PhXg0t0QcW+zzlyzZqRfMJGUsq/4FdVeeJ4s84
mxJ0cX1j96sUOs7nMaXBZ3uliIXQRwprMH0YebqGcMi8DZrrQ9r5vDjKzKsz7ZI8
UGcuzam6DjJqYKhryl0=
=IvJ1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Ability to set cipher suites for websocket connections
Posted by Mark Thomas <ma...@apache.org>.
On 17/01/2017 11:23, Michael Orr wrote:
> Hi,
>
> There is a user property "org.apache.tomcat.websocket.SSL_PROTOCOLS"
> that you can use to provide the list of permitted SSL protocols when
> connecting to a websocket with WsWebSocketContainer. I was expecting
> that there would be a similar property to allow you to set the list of
> permitted SSL cipher suites as well.
>
> I've checked the code (for version 7.0.73, and also 9.0.0.M15) and
> there doesn't seem to be any mention of such an option. I can see it
> calling SSLEngine.setEnabledProtocols() but not
> SSLEngine.setEnabledCipherSuites().
>
> Is there a particular reason why there is no
> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is it
> simply an oversight?
No reason I can think of. Patches welcome :)
Mark
>
> Thanks, and keep up the great work!
>
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org