You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2014/11/14 11:42:47 UTC
[VOTE] Release Apache Tomcat 6.0.43
The proposed Apache Tomcat 6.0.43 release is now available for voting.
The key changes since 6.0.41 are:
- Disable SSLv3 by default in light of the recently announced POODLE
vulnerability. (CVE-2014-3566)
- Update to Tomcat Native Library version 1.1.32 to pick up the Windows
binaries that are based on OpenSSL 1.0.1j and APR 1.5.1.
- Various fixes to EL parsing when EL is used in a JSP.
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1027/
The svn tag is:
http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/
The proposed 6.0.43 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 6.0.43 Stable
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[RESULT][VOTE] Release Apache Tomcat 6.0.43
Posted by Mark Thomas <ma...@apache.org>.
The following votes were cast:
Binding:
+1: markt, kkolinko, violetagg, jfclere
Non-binding:
+1: Andrew Carr
This vote therefore passes.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Mark Thomas <ma...@apache.org>.
On 14/11/2014 10:42, Mark Thomas wrote:
> The proposed Apache Tomcat 6.0.43 release is now available for voting.
>
> The key changes since 6.0.41 are:
>
> - Disable SSLv3 by default in light of the recently announced POODLE
> vulnerability. (CVE-2014-3566)
>
> - Update to Tomcat Native Library version 1.1.32 to pick up the Windows
> binaries that are based on OpenSSL 1.0.1j and APR 1.5.1.
>
> - Various fixes to EL parsing when EL is used in a JSP.
>
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1027/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/
>
> The proposed 6.0.43 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 6.0.43 Stable
Servlet 2.5 and JSP 2.1 TCKs pass.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by jean-frederic clere <jf...@gmail.com>.
On 11/14/2014 11:42 AM, Mark Thomas wrote:
> [X] Stable - go ahead and release as 6.0.43 Stable
My tests are passing.
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-11-14 13:42 GMT+03:00 Mark Thomas <ma...@apache.org>:
> The proposed Apache Tomcat 6.0.43 release is now available for voting.
>
> The key changes since 6.0.41 are:
>
> - Disable SSLv3 by default in light of the recently announced POODLE
> vulnerability. (CVE-2014-3566)
>
> - Update to Tomcat Native Library version 1.1.32 to pick up the Windows
> binaries that are based on OpenSSL 1.0.1j and APR 1.5.1.
>
> - Various fixes to EL parsing when EL is used in a JSP.
>
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1027/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/
>
> The proposed 6.0.43 release is:
> [ ] Broken - do not release
> [ ] Stable - go ahead and release as 6.0.43 Stable
[x] Stable - go ahead and release as 6.0.43 Stable
Smoke testing is OK.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Andrew Carr <an...@gmail.com>.
Team,
I can see this "SSlv2" setting impacting the Tomcat community. If someone
explicity sets SSLv2 in the sslEnabledProtocols setting their Tomcat SSL
connector will not work properly. The error does not occur on *startup*,
but occurs when a user tries to access the SSL connector.
-Andrew
On Mon, Nov 17, 2014 at 2:26 PM, Andrew Carr <an...@gmail.com>
wrote:
> +1 stable << for me
>
> However, and I don't know if this is a game changer, I am having a problem
> when implementing SSL using the NIOConnector, althought the problem does
> not look like a Tomcat source problem. I did verify that disabling SSLv3
> does indeed prevent a client from connecting to the server with SSLv3
> protocol, however, when setting it to SSLv2 I am receiving an Illegal Arg
> exception... Looks like this would be on the Java side, should I log it?
> SSLv2 is a valid option according to the Java documnetation.
>
> Nov 17, 2014 2:19:35 PM org.apache.tomcat.util.net.NioEndpoint
> setSocketOptions
> SEVERE:
> java.lang.IllegalArgumentException: SSLv2
> at
> sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164)
>
> Based on this though I think I should log the error with Oracle? I was
> using JDK 7, and I based "SSLv2" being valid from the protocol list here:
> https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
>
> -Andrew
>
>
> Full Exception:
> Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint
> setSocketOptions
> SEVERE:
> java.lang.IllegalArgumentException: SSLv2
> at
> sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164)
> at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
> at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
> at
> sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2023)
> at
> org.apache.tomcat.util.net.NioEndpoint.createSSLEngine(NioEndpoint.java:1144)
> at
> org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:1097)
> at
> org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:1322)
> at java.lang.Thread.run(Thread.java:745)
>
> Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint
> setSocketOptions
> SEVERE:
> java.lang.IllegalArgumentException: SSLv2
>
>
>
> On Mon, Nov 17, 2014 at 5:39 AM, Violeta Georgieva <mi...@gmail.com>
> wrote:
>
>> +1 stable
>>
>> Regards,
>> Violeta
>>
>> На петък, 14 ноември 2014 г. Mark Thomas <ma...@apache.org> написа:
>>
>> > The proposed Apache Tomcat 6.0.43 release is now available for voting.
>> >
>> > The key changes since 6.0.41 are:
>> >
>> > - Disable SSLv3 by default in light of the recently announced POODLE
>> > vulnerability. (CVE-2014-3566)
>> >
>> > - Update to Tomcat Native Library version 1.1.32 to pick up the Windows
>> > binaries that are based on OpenSSL 1.0.1j and APR 1.5.1.
>> >
>> > - Various fixes to EL parsing when EL is used in a JSP.
>> >
>> >
>> > It can be obtained from:
>> > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/
>> >
>> > The Maven staging repo is:
>> >
>> https://repository.apache.org/content/repositories/orgapachetomcat-1027/
>> > The svn tag is:
>> > http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/
>> >
>> > The proposed 6.0.43 release is:
>> > [ ] Broken - do not release
>> > [ ] Stable - go ahead and release as 6.0.43 Stable
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> <javascript:;>
>> > For additional commands, e-mail: dev-help@tomcat.apache.org
>> <javascript:;>
>> >
>> >
>>
>
>
>
> --
> With Regards,
> Andrew Carr
>
> e. andrewlanecarr@gmail.com
> w. andrew.carr@openlogic.com
> h. 4235255668
> c. 4239489852
> a. 101 Francis Drive, Greeneville, TN, 37743
>
--
With Regards,
Andrew Carr
e. andrewlanecarr@gmail.com
w. andrew.carr@openlogic.com
h. 4235255668
c. 4239489852
a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Andrew Carr <an...@gmail.com>.
Chris,
Thanks for the response. I didn't understand the "nope" at the bottom.
Was it in reference to the Java 8 documentation or the screenshot? If it
was the screenshot, it is attached to my email, but maybe the mailing list
removed it?
http://snag.gy/lcyLt.jpg
-Andrew
On Thu, Nov 20, 2014 at 3:54 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> Andrew,
>
> On 11/19/14 2:47 AM, Andrew Carr wrote:
> > If you review the Tomcat 6 documentation
> > here:
> https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
> > , you will see "sslEnabledProtocols." On the desc. for that setting
> > there are links for Java 6 and Java 7 protocol lists, and they both
> > include SSLv2. Not nitpicking here, just know that I saw it. I was
> > looking at the TC 6 -> Java 6 / 7 documentation because I was working
> > with Tomcat 6 and Java 7.
>
> Fair enough. Two thoughts:
>
> 1. This is not a regression; it would have happened to any previous
> Tomcat 6.x with this JVM version
> 2. Nobody cares about SSLv2 and it's good that new JVMs will fail to
> configure a socket with that protocol enabled
>
> > I understand it is not in the Java 8 documentation. I attached a
> > screenshot.
>
> Nope.
>
> -chris
>
> > On Tue, Nov 18, 2014 at 3:55 PM, Christopher Schultz
> > <chris@christopherschultz.net <ma...@christopherschultz.net>>
> wrote:
> >
> > Andrew,
> >
> > On 11/18/14 2:58 PM, Andrew Carr wrote:
> > > Chris,
> > >
> > > Thank you for the response. I will include the full stack trace
> next time.
> > >
> > >>
> > >>
> > >>
> > >> Note that, like polio, SSLv2 has been wiped from the face of the
> planet.
> > >>
> > >> This is not an error. This will not impact anyone of consequence.
> > >>
> > >> You may be looking for "SSLv2Hello".
> > >>
> > >> -chirs
> > >>
> > >>
> > >>
> > > You said that I might be looking for SSLv2Hello, but I am not. My
> point
> > > is not the use of SSLv2 because it would be wise, but the fact
> that the
> > > list of protocols on the Oracle page includes SSLv2.
> >
> > It most certainly *does not*:
> >
> >
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
> >
> > SSLv2 is dead, dead, dead.
> >
> > > This list is referred
> > > to by the tomcat configuration documentation, which would lead
> someone to
> > > believe this is a valid setting. Maybe we just add a note about
> SSLv2?
> >
> > There are notes everywhere that SSLv2 is not trusted.
> >
> > > Maybe it's not important?
> >
> > Not really. Anyone wanting to use SSLv2 should experience abject
> > failure.
> >
> > -chris
> >
> >
> >
> >
> > --
> > With Regards,
> > Andrew Carr
> >
> > e. andrewlanecarr@gmail.com <ma...@gmail.com>
> > w. andrew.carr@openlogic.com <ma...@openlogic.com>
> > h. 4235255668
> > c. 4239489852
> > a. 101 Francis Drive, Greeneville, TN, 37743
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
>
>
--
With Regards,
Andrew Carr
e. andrewlanecarr@gmail.com
w. andrew.carr@openlogic.com
h. 4235255668
c. 4239489852
a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Andrew,
On 11/19/14 2:47 AM, Andrew Carr wrote:
> If you review the Tomcat 6 documentation
> here: https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
> , you will see "sslEnabledProtocols." On the desc. for that setting
> there are links for Java 6 and Java 7 protocol lists, and they both
> include SSLv2. Not nitpicking here, just know that I saw it. I was
> looking at the TC 6 -> Java 6 / 7 documentation because I was working
> with Tomcat 6 and Java 7.
Fair enough. Two thoughts:
1. This is not a regression; it would have happened to any previous
Tomcat 6.x with this JVM version
2. Nobody cares about SSLv2 and it's good that new JVMs will fail to
configure a socket with that protocol enabled
> I understand it is not in the Java 8 documentation. I attached a
> screenshot.
Nope.
-chris
> On Tue, Nov 18, 2014 at 3:55 PM, Christopher Schultz
> <chris@christopherschultz.net <ma...@christopherschultz.net>> wrote:
>
> Andrew,
>
> On 11/18/14 2:58 PM, Andrew Carr wrote:
> > Chris,
> >
> > Thank you for the response. I will include the full stack trace next time.
> >
> >>
> >>
> >>
> >> Note that, like polio, SSLv2 has been wiped from the face of the planet.
> >>
> >> This is not an error. This will not impact anyone of consequence.
> >>
> >> You may be looking for "SSLv2Hello".
> >>
> >> -chirs
> >>
> >>
> >>
> > You said that I might be looking for SSLv2Hello, but I am not. My point
> > is not the use of SSLv2 because it would be wise, but the fact that the
> > list of protocols on the Oracle page includes SSLv2.
>
> It most certainly *does not*:
>
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
>
> SSLv2 is dead, dead, dead.
>
> > This list is referred
> > to by the tomcat configuration documentation, which would lead someone to
> > believe this is a valid setting. Maybe we just add a note about SSLv2?
>
> There are notes everywhere that SSLv2 is not trusted.
>
> > Maybe it's not important?
>
> Not really. Anyone wanting to use SSLv2 should experience abject
> failure.
>
> -chris
>
>
>
>
> --
> With Regards,
> Andrew Carr
>
> e. andrewlanecarr@gmail.com <ma...@gmail.com>
> w. andrew.carr@openlogic.com <ma...@openlogic.com>
> h. 4235255668
> c. 4239489852
> a. 101 Francis Drive, Greeneville, TN, 37743
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Andrew Carr <an...@gmail.com>.
If you review the Tomcat 6 documentation here:
https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support ,
you will see "sslEnabledProtocols." On the desc. for that setting there
are links for Java 6 and Java 7 protocol lists, and they both include
SSLv2. Not nitpicking here, just know that I saw it. I was looking at the
TC 6 -> Java 6 / 7 documentation because I was working with Tomcat 6 and
Java 7.
I understand it is not in the Java 8 documentation. I attached a
screenshot.
On Tue, Nov 18, 2014 at 3:55 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> Andrew,
>
> On 11/18/14 2:58 PM, Andrew Carr wrote:
> > Chris,
> >
> > Thank you for the response. I will include the full stack trace next
> time.
> >
> >>
> >>
> >>
> >> Note that, like polio, SSLv2 has been wiped from the face of the planet.
> >>
> >> This is not an error. This will not impact anyone of consequence.
> >>
> >> You may be looking for "SSLv2Hello".
> >>
> >> -chirs
> >>
> >>
> >>
> > You said that I might be looking for SSLv2Hello, but I am not. My point
> > is not the use of SSLv2 because it would be wise, but the fact that the
> > list of protocols on the Oracle page includes SSLv2.
>
> It most certainly *does not*:
>
>
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
>
> SSLv2 is dead, dead, dead.
>
> > This list is referred
> > to by the tomcat configuration documentation, which would lead someone to
> > believe this is a valid setting. Maybe we just add a note about SSLv2?
>
> There are notes everywhere that SSLv2 is not trusted.
>
> > Maybe it's not important?
>
> Not really. Anyone wanting to use SSLv2 should experience abject failure.
>
> -chris
>
>
--
With Regards,
Andrew Carr
e. andrewlanecarr@gmail.com
w. andrew.carr@openlogic.com
h. 4235255668
c. 4239489852
a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Andrew,
On 11/18/14 2:58 PM, Andrew Carr wrote:
> Chris,
>
> Thank you for the response. I will include the full stack trace next time.
>
>>
>>
>>
>> Note that, like polio, SSLv2 has been wiped from the face of the planet.
>>
>> This is not an error. This will not impact anyone of consequence.
>>
>> You may be looking for "SSLv2Hello".
>>
>> -chirs
>>
>>
>>
> You said that I might be looking for SSLv2Hello, but I am not. My point
> is not the use of SSLv2 because it would be wise, but the fact that the
> list of protocols on the Oracle page includes SSLv2.
It most certainly *does not*:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
SSLv2 is dead, dead, dead.
> This list is referred
> to by the tomcat configuration documentation, which would lead someone to
> believe this is a valid setting. Maybe we just add a note about SSLv2?
There are notes everywhere that SSLv2 is not trusted.
> Maybe it's not important?
Not really. Anyone wanting to use SSLv2 should experience abject failure.
-chris
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Andrew Carr <an...@gmail.com>.
Chris,
Thank you for the response. I will include the full stack trace next time.
>
>
>
> Note that, like polio, SSLv2 has been wiped from the face of the planet.
>
> This is not an error. This will not impact anyone of consequence.
>
> You may be looking for "SSLv2Hello".
>
> -chirs
>
>
>
> You said that I might be looking for SSLv2Hello, but I am not. My point
is not the use of SSLv2 because it would be wise, but the fact that the
list of protocols on the Oracle page includes SSLv2. This list is referred
to by the tomcat configuration documentation, which would lead someone to
believe this is a valid setting. Maybe we just add a note about SSLv2?
Maybe it's not important?
--
With Regards,
Andrew Carr
e. andrewlanecarr@gmail.com
w. andrew.carr@openlogic.com
h. 4235255668
c. 4239489852
a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Andrew,
On 11/17/14 2:26 PM, Andrew Carr wrote:
> +1 stable << for me
>
> However, and I don't know if this is a game changer, I am having a problem
> when implementing SSL using the NIOConnector, althought the problem does
> not look like a Tomcat source problem. I did verify that disabling SSLv3
> does indeed prevent a client from connecting to the server with SSLv3
> protocol, however, when setting it to SSLv2 I am receiving an Illegal Arg
> exception... Looks like this would be on the Java side, should I log it?
> SSLv2 is a valid option according to the Java documnetation.
>
> Nov 17, 2014 2:19:35 PM org.apache.tomcat.util.net.NioEndpoint
> setSocketOptions
> SEVERE:
> java.lang.IllegalArgumentException: SSLv2
> at
> sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164)
Please provide the remainder of the stack trace next time.
> Based on this though I think I should log the error with Oracle? I was
> using JDK 7, and I based "SSLv2" being valid from the protocol list here:
> https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
Note that, like polio, SSLv2 has been wiped from the face of the planet.
This is not an error. This will not impact anyone of consequence.
You may be looking for "SSLv2Hello".
-chirs
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Andrew Carr <an...@gmail.com>.
Thanks Konstantin
On Tue, Nov 18, 2014 at 3:09 PM, Konstantin Kolinko <kn...@gmail.com>
wrote:
> 2014-11-17 22:26 GMT+03:00 Andrew Carr <an...@gmail.com>:
> > +1 stable << for me
> >
> > However, and I don't know if this is a game changer, I am having a
> problem
> > when implementing SSL using the NIOConnector, althought the problem does
> > not look like a Tomcat source problem. I did verify that disabling
> SSLv3
> > does indeed prevent a client from connecting to the server with SSLv3
> > protocol, however, when setting it to SSLv2 I am receiving an Illegal Arg
> > exception... Looks like this would be on the Java side, should I log it?
> > SSLv2 is a valid option according to the Java documnetation.
> >
> > Nov 17, 2014 2:19:35 PM org.apache.tomcat.util.net.NioEndpoint
> > setSocketOptions
> > SEVERE:
> > java.lang.IllegalArgumentException: SSLv2
> > at
> > sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164)
> >
> > Based on this though I think I should log the error with Oracle? I was
> > using JDK 7, and I based "SSLv2" being valid from the protocol list here:
> >
> https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
> >
> > -Andrew
> >
> >
> > Full Exception:
> > Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint
> > setSocketOptions
> > SEVERE:
> > java.lang.IllegalArgumentException: SSLv2
> > at
> > sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164)
> > at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
> > at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
>
>
> I think that is just Sun/Oracle's way to remove support for SSLv2.
> There is nothing that Tomcat devs can do about.
>
> That "standard names" page is just a general reference. Specific JRE
> vendors may implement a subset/superset of it.
>
> E.g. if you follow "Note: The Sun Provider Documentation contains
> specific provider and algorithm information." link at the top of the
> page, you come here:
>
> https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
>
> and there is no SSLv2 on that second page.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
--
With Regards,
Andrew Carr
e. andrewlanecarr@gmail.com
w. andrew.carr@openlogic.com
h. 4235255668
c. 4239489852
a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-11-17 22:26 GMT+03:00 Andrew Carr <an...@gmail.com>:
> +1 stable << for me
>
> However, and I don't know if this is a game changer, I am having a problem
> when implementing SSL using the NIOConnector, althought the problem does
> not look like a Tomcat source problem. I did verify that disabling SSLv3
> does indeed prevent a client from connecting to the server with SSLv3
> protocol, however, when setting it to SSLv2 I am receiving an Illegal Arg
> exception... Looks like this would be on the Java side, should I log it?
> SSLv2 is a valid option according to the Java documnetation.
>
> Nov 17, 2014 2:19:35 PM org.apache.tomcat.util.net.NioEndpoint
> setSocketOptions
> SEVERE:
> java.lang.IllegalArgumentException: SSLv2
> at
> sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164)
>
> Based on this though I think I should log the error with Oracle? I was
> using JDK 7, and I based "SSLv2" being valid from the protocol list here:
> https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
>
> -Andrew
>
>
> Full Exception:
> Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint
> setSocketOptions
> SEVERE:
> java.lang.IllegalArgumentException: SSLv2
> at
> sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164)
> at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
> at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
I think that is just Sun/Oracle's way to remove support for SSLv2.
There is nothing that Tomcat devs can do about.
That "standard names" page is just a general reference. Specific JRE
vendors may implement a subset/superset of it.
E.g. if you follow "Note: The Sun Provider Documentation contains
specific provider and algorithm information." link at the top of the
page, you come here:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
and there is no SSLv2 on that second page.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Andrew Carr <an...@gmail.com>.
+1 stable << for me
However, and I don't know if this is a game changer, I am having a problem
when implementing SSL using the NIOConnector, althought the problem does
not look like a Tomcat source problem. I did verify that disabling SSLv3
does indeed prevent a client from connecting to the server with SSLv3
protocol, however, when setting it to SSLv2 I am receiving an Illegal Arg
exception... Looks like this would be on the Java side, should I log it?
SSLv2 is a valid option according to the Java documnetation.
Nov 17, 2014 2:19:35 PM org.apache.tomcat.util.net.NioEndpoint
setSocketOptions
SEVERE:
java.lang.IllegalArgumentException: SSLv2
at
sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164)
Based on this though I think I should log the error with Oracle? I was
using JDK 7, and I based "SSLv2" being valid from the protocol list here:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
-Andrew
Full Exception:
Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint
setSocketOptions
SEVERE:
java.lang.IllegalArgumentException: SSLv2
at
sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164)
at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
at
sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2023)
at
org.apache.tomcat.util.net.NioEndpoint.createSSLEngine(NioEndpoint.java:1144)
at
org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:1097)
at
org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:1322)
at java.lang.Thread.run(Thread.java:745)
Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint
setSocketOptions
SEVERE:
java.lang.IllegalArgumentException: SSLv2
On Mon, Nov 17, 2014 at 5:39 AM, Violeta Georgieva <mi...@gmail.com>
wrote:
> +1 stable
>
> Regards,
> Violeta
>
> На петък, 14 ноември 2014 г. Mark Thomas <ma...@apache.org> написа:
>
> > The proposed Apache Tomcat 6.0.43 release is now available for voting.
> >
> > The key changes since 6.0.41 are:
> >
> > - Disable SSLv3 by default in light of the recently announced POODLE
> > vulnerability. (CVE-2014-3566)
> >
> > - Update to Tomcat Native Library version 1.1.32 to pick up the Windows
> > binaries that are based on OpenSSL 1.0.1j and APR 1.5.1.
> >
> > - Various fixes to EL parsing when EL is used in a JSP.
> >
> >
> > It can be obtained from:
> > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/
> >
> > The Maven staging repo is:
> > https://repository.apache.org/content/repositories/orgapachetomcat-1027/
> > The svn tag is:
> > http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/
> >
> > The proposed 6.0.43 release is:
> > [ ] Broken - do not release
> > [ ] Stable - go ahead and release as 6.0.43 Stable
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org <javascript:;>
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> <javascript:;>
> >
> >
>
--
With Regards,
Andrew Carr
e. andrewlanecarr@gmail.com
w. andrew.carr@openlogic.com
h. 4235255668
c. 4239489852
a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
Posted by Violeta Georgieva <mi...@gmail.com>.
+1 stable
Regards,
Violeta
На петък, 14 ноември 2014 г. Mark Thomas <ma...@apache.org> написа:
> The proposed Apache Tomcat 6.0.43 release is now available for voting.
>
> The key changes since 6.0.41 are:
>
> - Disable SSLv3 by default in light of the recently announced POODLE
> vulnerability. (CVE-2014-3566)
>
> - Update to Tomcat Native Library version 1.1.32 to pick up the Windows
> binaries that are based on OpenSSL 1.0.1j and APR 1.5.1.
>
> - Various fixes to EL parsing when EL is used in a JSP.
>
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1027/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/
>
> The proposed 6.0.43 release is:
> [ ] Broken - do not release
> [ ] Stable - go ahead and release as 6.0.43 Stable
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org <javascript:;>
> For additional commands, e-mail: dev-help@tomcat.apache.org <javascript:;>
>
>