You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2017/01/17 19:32:07 UTC
Re: [OT] Ability to set cipher suites for websocket connections
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 1/17/17 8:39 AM, Mark Thomas wrote:
> On 17/01/2017 11:23, Michael Orr wrote:
>> Hi,
>>
>> There is a user property
>> "org.apache.tomcat.websocket.SSL_PROTOCOLS" that you can use to
>> provide the list of permitted SSL protocols when connecting to a
>> websocket with WsWebSocketContainer. I was expecting that there
>> would be a similar property to allow you to set the list of
>> permitted SSL cipher suites as well.
>>
>> I've checked the code (for version 7.0.73, and also 9.0.0.M15)
>> and there doesn't seem to be any mention of such an option. I
>> can see it calling SSLEngine.setEnabledProtocols() but not
>> SSLEngine.setEnabledCipherSuites().
>>
>> Is there a particular reason why there is no
>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is
>> it simply an oversight?
>
> No reason I can think of. Patches welcome :)
I'm curious: since the existing <Connector> (possibly) contains a TLS
configuration, why does Websocket specifically require a separate
configuration?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIbBAEBCAAGBQJYfnE3AAoJEBzwKT+lPKRYwpoP+OgM+lcIrhZ8AO6Vxyx9CliL
GzwiFbgPgnCfpTnsLIT+0ZU+xQ2zg1RcCVOlKMTTRWRClioUf4+oDqGCm0BY2jAi
uAAAaDp1MXj4rNLb8sStJJmvQW0x3Mm6z4X8Pn9EZ1uR+9s21dHCpkbpxcKOu6z2
ZHNvQOwjgB0mpbj1/q9otfJx/sKZlozwOh4LJ7/vrask+vmRjsFK1rN0vjAXgo79
PLLsHWbXYHFKLKpMwEQnZ44LvtEl4FrYFZalN/R8FYMIOSBEx7MUxPOdq62U5w3p
O0Xelq0ijqT2pkrh4150Jt0Ff+3pkuUqL/MsXW+Gwfh6l/OdrQWN/ppEihy7VAbw
ytrv3V1lP3tewr8VJBWAfuz9wp+1bOmoRFDzsUrrsH4SPj0jrs0DTBBa8832dZa0
EWBlcU1qmr+QMzT4NjOSIg8JDzb13fB/ZxUWi3TldKTMaHggXvY0fxU098McDt+x
pOhCd0l6jHy0Z1H2+2Xlc7wroXwVYqdJjDFV6+MCiEhA2PNN6MQoVcHJffmvcsYW
84kKMIY9+IXGs8z6N/71v+3TB4PhXg0t0QcW+zzlyzZqRfMJGUsq/4FdVeeJ4s84
mxJ0cX1j96sUOs7nMaXBZ3uliIXQRwprMH0YebqGcMi8DZrrQ9r5vDjKzKsz7ZI8
UGcuzam6DjJqYKhryl0=
=IvJ1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Ability to set cipher suites for websocket connections
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 1/17/17 2:53 PM, Mark Thomas wrote:
> On 17/01/2017 19:32, Christopher Schultz wrote:
>> Mark,
>>
>> On 1/17/17 8:39 AM, Mark Thomas wrote:
>>> On 17/01/2017 11:23, Michael Orr wrote:
>>>> Hi,
>>>>
>>>> There is a user property
>>>> "org.apache.tomcat.websocket.SSL_PROTOCOLS" that you can use
>>>> to provide the list of permitted SSL protocols when
>>>> connecting to a websocket with WsWebSocketContainer. I was
>>>> expecting that there would be a similar property to allow you
>>>> to set the list of permitted SSL cipher suites as well.
>>>>
>>>> I've checked the code (for version 7.0.73, and also
>>>> 9.0.0.M15) and there doesn't seem to be any mention of such
>>>> an option. I can see it calling
>>>> SSLEngine.setEnabledProtocols() but not
>>>> SSLEngine.setEnabledCipherSuites().
>>>>
>>>> Is there a particular reason why there is no
>>>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or
>>>> is it simply an oversight?
>>
>>> No reason I can think of. Patches welcome :)
>>
>> I'm curious: since the existing <Connector> (possibly) contains a
>> TLS configuration, why does Websocket specifically require a
>> separate configuration?
>
> This is for the WebSocket client, not the server.
Hah... of course. *duh*
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYfp9xAAoJEBzwKT+lPKRYXtUP/2nXCnYzF48W3aHwf6ZWKdoR
b29zH1GEB7gQH8HB9DbfkKKThJJVjPfOcRdXK5W9Yjg98ay2d6JWuQbgi1zT8sGa
0mr4QBMYluQ7PhUhkWvJtC83ZvaI6jgcI9dsmdjt3hn09FgKS987RO/RBuwoyLLF
z3HTCAfSQRlhTS0I7n4cbYIyqhFxTYk2OCp2og8qrqHo+I9zlkuAe39Fuz3QIXUi
WaxCO9PFKWmCVqyo91/lqtUxObs1Svs6BMVpVnKBObLRRxOL73qVdoKEkLORVsQg
AUdaEZTyQGUGONXNZNzKR6rmGY8wytzzl6ZJpSIg1YZMjRj/DSI+xp0X25bFIyMF
Uh5R367lYnKJUcJ6JuWGvi1lw+JwyeL5+WDgac4BuA7ZPZ01XN3NNWOst2yHkPoL
N0njcvIlOEXS4UHzpdBRcNlnmPYcC271ED8qT4RbnYA067ZPXaLvcvOS4OgCmlkD
LeTsGekVPNswP7P71A2JTFfqxtUcLv3SAV2F3ORbL+FHWAeL+/UAeVBKK/S2UCNu
mlqVAEUo5mGLzU/0UsAglHyq+h5BDpxMHDO8ck74MeotDTwEtKle2fJaEe6O/X7F
wFPFSFW8G9kYtzMv0p9DvREu5+rc8RIUwf7dzpFYJYb20rlECaAAKV4zOXv8BPQt
ZijQj1hGK4wQTaQEXUxT
=kJo4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Ability to set cipher suites for websocket connections
Posted by Mark Thomas <ma...@apache.org>.
On 17/01/2017 19:32, Christopher Schultz wrote:
> Mark,
>
> On 1/17/17 8:39 AM, Mark Thomas wrote:
>> On 17/01/2017 11:23, Michael Orr wrote:
>>> Hi,
>>>
>>> There is a user property
>>> "org.apache.tomcat.websocket.SSL_PROTOCOLS" that you can use to
>>> provide the list of permitted SSL protocols when connecting to a
>>> websocket with WsWebSocketContainer. I was expecting that there
>>> would be a similar property to allow you to set the list of
>>> permitted SSL cipher suites as well.
>>>
>>> I've checked the code (for version 7.0.73, and also 9.0.0.M15)
>>> and there doesn't seem to be any mention of such an option. I
>>> can see it calling SSLEngine.setEnabledProtocols() but not
>>> SSLEngine.setEnabledCipherSuites().
>>>
>>> Is there a particular reason why there is no
>>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is
>>> it simply an oversight?
>
>> No reason I can think of. Patches welcome :)
>
> I'm curious: since the existing <Connector> (possibly) contains a TLS
> configuration, why does Websocket specifically require a separate
> configuration?
This is for the WebSocket client, not the server.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org