TC trunk: protocol in SSLHostConfig only for OpenSSL?

[Rainer Jung <ra...@kippdata.de>]

I'm a bit confused: is "protocol" in SSLHostConfig only for OpenSSL, or 
also for JSSE? There's also sslProtocol, which seems to be for JSSE but 
the docs looked like protocol were for both. Or is it work in progress?

Thanks for any hints.

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: TC trunk: protocol in SSLHostConfig only for OpenSSL?

[Mark Thomas <ma...@apache.org>]

On 26/05/2015 17:02, Rémy Maucherat wrote:
> 2015-05-26 17:40 GMT+02:00 Rainer Jung <ra...@kippdata.de>:
> 
>> I'm a bit confused: is "protocol" in SSLHostConfig only for OpenSSL, or
>> also for JSSE? There's also sslProtocol, which seems to be for JSSE but the
>> docs looked like protocol were for both. Or is it work in progress?
>>
> 
> No, "protocols" is used for both types.

+1.

> "sslProtocol" is JSSE only since it would be the JCE provider name (as in
> javax.net.ssl.SSLContext.getInstance(sslProtocol)). Since I think this is
> mostly unusable, configuration doesn't look very useful (it should be
> "TLS").

I agree and I was tempted to remove it in the recent refactoring but I
kept it on the grounds we have gone in the direction of exposing as many
of the configuration options as possible.

It wouldn't take much to convince me to remove this if that is what
folks here would prefer.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: TC trunk: protocol in SSLHostConfig only for OpenSSL?

[Mark Thomas <ma...@apache.org>]

On 26/05/2015 18:59, Rainer Jung wrote:
> Am 26.05.2015 um 18:02 schrieb Rémy Maucherat:
>> 2015-05-26 17:40 GMT+02:00 Rainer Jung <ra...@kippdata.de>:
>>
>>> I'm a bit confused: is "protocol" in SSLHostConfig only for OpenSSL, or
>>> also for JSSE? There's also sslProtocol, which seems to be for JSSE
>>> but the
>>> docs looked like protocol were for both. Or is it work in progress?
>>>
>>
>> No, "protocols" is used for both types.
>>
>> "sslProtocol" is JSSE only since it would be the JCE provider name (as in
>> javax.net.ssl.SSLContext.getInstance(sslProtocol)). Since I think this is
>> mostly unusable, configuration doesn't look very useful (it should be
>> "TLS").
> 
> OK, thanks Rémy, I corrected a wrong addition I had put into the docs.
> 
> Related: JSSE by default uses "supported protocols minus everything that
> includes SSL". APR uses all="TLSv1+TLSv1_1+TLSv1_2+SSVl2Hello". It is a
> blacklist approach versus a whitelist approach (for the defaults).
> 
> This will drift apart once new protocols like TLS 1.3 get introduced. I
> wonder whether we want to harmonize handling of default/all between
> OpenSSL and JSSE.
> 
> If a new protocol shows up, for JSSE I assume you'd have to update the
> JVM only. For APR you'd have to update the OpenSSL underneath tcnative
> plus Tomcat. I know that new protocols show up only very rarely but I
> wonder whether we want to use the same approach in both JSSE and OpenSSL
> and whether it would be a blacklist approach like in JSSE or a whitelist
> approach like in APR.

I think a default of everything we know is supported less those we know
are not secure.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: TC trunk: protocol in SSLHostConfig only for OpenSSL?

[Rainer Jung <ra...@kippdata.de>]

Am 26.05.2015 um 18:02 schrieb Rémy Maucherat:
> 2015-05-26 17:40 GMT+02:00 Rainer Jung <ra...@kippdata.de>:
>
>> I'm a bit confused: is "protocol" in SSLHostConfig only for OpenSSL, or
>> also for JSSE? There's also sslProtocol, which seems to be for JSSE but the
>> docs looked like protocol were for both. Or is it work in progress?
>>
>
> No, "protocols" is used for both types.
>
> "sslProtocol" is JSSE only since it would be the JCE provider name (as in
> javax.net.ssl.SSLContext.getInstance(sslProtocol)). Since I think this is
> mostly unusable, configuration doesn't look very useful (it should be
> "TLS").

OK, thanks Rémy, I corrected a wrong addition I had put into the docs.

Related: JSSE by default uses "supported protocols minus everything that 
includes SSL". APR uses all="TLSv1+TLSv1_1+TLSv1_2+SSVl2Hello". It is a 
blacklist approach versus a whitelist approach (for the defaults).

This will drift apart once new protocols like TLS 1.3 get introduced. I 
wonder whether we want to harmonize handling of default/all between 
OpenSSL and JSSE.

If a new protocol shows up, for JSSE I assume you'd have to update the 
JVM only. For APR you'd have to update the OpenSSL underneath tcnative 
plus Tomcat. I know that new protocols show up only very rarely but I 
wonder whether we want to use the same approach in both JSSE and OpenSSL 
and whether it would be a blacklist approach like in JSSE or a whitelist 
approach like in APR.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: TC trunk: protocol in SSLHostConfig only for OpenSSL?

[Rémy Maucherat <re...@apache.org>]

2015-05-26 17:40 GMT+02:00 Rainer Jung <ra...@kippdata.de>:

> I'm a bit confused: is "protocol" in SSLHostConfig only for OpenSSL, or
> also for JSSE? There's also sslProtocol, which seems to be for JSSE but the
> docs looked like protocol were for both. Or is it work in progress?
>

No, "protocols" is used for both types.

"sslProtocol" is JSSE only since it would be the JCE provider name (as in
javax.net.ssl.SSLContext.getInstance(sslProtocol)). Since I think this is
mostly unusable, configuration doesn't look very useful (it should be
"TLS").

Rémy