You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by George Stanchev <Gs...@serena.com> on 2015/06/13 14:36:13 UTC
useServerCipherSuitesOrder in 7.0.62
Hi,
I was looking at [1] and it looks the new attribute is available in 7.0.61 onwards as per Violeta's comment. However I cannot find this new attribute in the HTTP connector documentation [2] nor the changelog [3]. Can someone confirm or deny the availability of this attribute (useServerCipherSuitesOrder) in Tomcat 7.0.62.
As a follow up question, I seem to remember that 8.0.latest supports OpenSSL-style list for the HTTP connector "ciphers" attribute. Does 7.0.62 also support this or it wasn't backported?
Thanks!
George
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988
[2] https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
[3] https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Re: useServerCipherSuitesOrder in 7.0.62
Posted by Mark Thomas <ma...@apache.org>.
On 24/06/2015 17:57, Christopher Schultz wrote:
> Mark,
>
> On 6/24/15 12:45 PM, Mark Thomas wrote:
>> On 24/06/2015 16:55, Christopher Schultz wrote:
>
>>> There are some related files (like Cipher.java), but start in
>>> that class right there. I think a simple driver class could take
>>> an OpenSSL-style cipher string and dump-out the JSSE-compatible
>>> (expanded) cipher suites string.
>
>> The key mapping information is held in the Cipher enumeration.
>> There should be an entry for each known Cipher, excluding a few
>> there aren't implemented (and are unlikely to be implemented) in
>> OpenSSL or JSSE.
>
>> The tricky part isn't porting the mapping but the unit tests since
>> they depend on which ciphers are enabled in the JRE and the unit
>> tests for older Tomcat versions run on older JREs with fewer
>> ciphers.
>
>> We could just skip porting the unit tests.
>
> But the JRE will happily allow discovery of supported ciphers. Could
> we simply run the unit tests and white-list only those ciphers that
> are actually supported by the runtime JRE?
You could. It would make the unit tests more complicated. For bonus
points you'd need to do the same with OpenSSL.
Where it gets really tricky is the some of the OpenSSL filter strings
are NO-OPs on older versions. Some have also subtlety changed meanings.
By all means go for it, but prepared for there to be some non-trivial
edge cases.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: useServerCipherSuitesOrder in 7.0.62
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 6/24/15 12:45 PM, Mark Thomas wrote:
> On 24/06/2015 16:55, Christopher Schultz wrote:
>
>> There are some related files (like Cipher.java), but start in
>> that class right there. I think a simple driver class could take
>> an OpenSSL-style cipher string and dump-out the JSSE-compatible
>> (expanded) cipher suites string.
>
> The key mapping information is held in the Cipher enumeration.
> There should be an entry for each known Cipher, excluding a few
> there aren't implemented (and are unlikely to be implemented) in
> OpenSSL or JSSE.
>
> The tricky part isn't porting the mapping but the unit tests since
> they depend on which ciphers are enabled in the JRE and the unit
> tests for older Tomcat versions run on older JREs with fewer
> ciphers.
>
> We could just skip porting the unit tests.
But the JRE will happily allow discovery of supported ciphers. Could
we simply run the unit tests and white-list only those ciphers that
are actually supported by the runtime JRE?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJViuF2AAoJEBzwKT+lPKRYY5AQAMeSk9PLPYUEl9P6K94+C5es
xTAHH6/C1hXrQnngQMbAvKnyiVsoTYzAzkh9KqwJ6oXc7Pn97vbIWPcJjG1zNINr
bGXASAch8G9kIkPQzOrXQBOu8UDgKqMUNx4ElnPZYQPW0RytS0yF1a8wbFZFhNO9
1EOlTOMxxxn3oxAplVR5xe0IE1x1IbNXPQIrljzz/t+pO5bL4gWYAJuwge+qIMDA
Be33HtYG0BRgp9DjcuLUGnAVOTs7ss9Q/HyVEJOxxSm8n/gri0Z/9uB+OrtQ+uwY
ACMWi+F/dPlo7lHcDiltvnPMMwHUF0njea7sWWxOKMT8xcwWRK/D7oyHP2Ph4GrD
0GFm04KpQsMiZm1+SxMZMIG+YJVN7Rk7ZfqbTug205MisKsEMMkwsvGIQWhDwm47
fK+lDYWKuW5BeG952hEZBiEb84Sqjh95ceWdpOEtEiv7pV02p3QJbGEbnPe3lZ/w
UkMYUwcfuk0l2ABLpdEAfO49LAkRCYS6RUPSYd+0yCgM6OA1DOwqbn7xmpo9aR5R
S4o4ivqjXughf5r2lTHHNtRjmNtZ21wlrdLyO70l3OFNKEhA4Q3r4hZobrsKQ6PT
0RyWeLPE9o2cPyRCKr5ZSfCs53yMuvBHuQUiNOXSHCw5kyjYlRIN9m7fxSYnxzog
BWtc0hEUkoX8+/pZh4VQ
=mtrZ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: useServerCipherSuitesOrder in 7.0.62
Posted by Mark Thomas <ma...@apache.org>.
On 24/06/2015 16:55, Christopher Schultz wrote:
> There are some related files (like Cipher.java), but start in that
> class right there. I think a simple driver class could take an
> OpenSSL-style cipher string and dump-out the JSSE-compatible
> (expanded) cipher suites string.
The key mapping information is held in the Cipher enumeration. There
should be an entry for each known Cipher, excluding a few there aren't
implemented (and are unlikely to be implemented) in OpenSSL or JSSE.
The tricky part isn't porting the mapping but the unit tests since they
depend on which ciphers are enabled in the JRE and the unit tests for
older Tomcat versions run on older JREs with fewer ciphers.
We could just skip porting the unit tests.
Mark
>
> -chris
>
>
>> Regards, George
>
>> [1]
>> https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compati
> bility_.28default.29
>
>
>
> -----Original Message----- From: Christopher Schultz
>> [mailto:chris@christopherschultz.net] Sent: Wednesday, June 24,
>> 2015 8:37 AM To: Tomcat Users List Subject: Re:
>> useServerCipherSuitesOrder in 7.0.62
>
>> George,
>
>> On 6/15/15 10:08 AM, George Stanchev wrote:
>>> Is there any chance for the OpenSSL-style ciphers to be
>>> backported to the 7 release line?
>
>> I'm not sure. The biggest problem with the OpenSSL-style ciphers
>> is maintaining the mapping, which might change with every release
>> of Java and/or OpenSSL. Maintaining it in Tomcat's trunk and 8 is
>> already double the work... adding Tomcat 7 is even more work.
>
>> I think what might make sense is to wrap a command-line program
>> around the trunk/8.0.x utility that does the mapping to build
>> something like OpenSSL's "ciphers" command, but that dumps-out
>> JSSE-style cipher suites .
>
>> Then that could be used independently of any version of Tomcat for
>> those versions that don't directly-support the openssl-style
>> cipher suites configuration.
>
>> What do you think?
>
>> Another possibility would be to maintain the mapping somewhere
>> other than code (where it currently is), and then share that
>> mapping between the various versions, perhaps using svn external
>> links. Then the maping gets updated in a single place and all
>> supporting versions of Tomcat can pick it up.
>
>> I'll defer to markt who mostly wrote the OpenSSL-JSSE bridge code
>> to decide if that might work.
>
>> -chris
>
>>> -----Original Message----- From: George Stanchev
>>> [mailto:Gstanchev@serena.com] Sent: Saturday, June 13, 2015
>>> 11:41 AM To: Tomcat Users List Subject: RE:
>>> useServerCipherSuitesOrder in 7.0.62
>
>>> Thanks Konstantin,
>
>>> I apologize for the shortsightness. I guess I must have had a
>>> space in the search dialog. Thanks for the answers!
>
>>> Cheers,
>
>>> George
>
>>> -----Original Message----- From: Konstantin Kolinko
>>> [mailto:knst.kolinko@gmail.com] Sent: Saturday, June 13, 2015
>>> 7:26 AM To: Tomcat Users List Subject: Re:
>>> useServerCipherSuitesOrder in 7.0.62
>
>>> 2015-06-13 15:36 GMT+03:00 George Stanchev
>>> <Gs...@serena.com>:
>>>> Hi,
>>>>
>>>> I was looking at [1] and it looks the new attribute is
>>>> available in 7.0.61 onwards as per Violeta's comment. However I
>>>> cannot find this new attribute in the HTTP connector
>>>> documentation [2] nor the changelog [3]. Can someone confirm or
>>>> deny the availability of this attribute
>>>> (useServerCipherSuitesOrder) in Tomcat 7.0.62.
>
>
>>> #55988 [1] is mentioned in the changelog, twice (7.0.61,
>>> 7.0.60).
>
>>> "useServerCipherSuitesOrder" is mentioned in [2] (in "SSL Support
>>> - BIO and NIO" section).
>
>>> Note that this feature requires running with Java 8.
>
>
>>>> As a follow up question, I seem to remember that 8.0.latest
>>>> supports OpenSSL-style list for the HTTP connector "ciphers"
>>>> attribute. Does 7.0.62 also support this or it wasn't
>>>> backported?
>
>
>>> It was not backported.
>
>>> Relevant classes are in package
>>> org.apache.tomcat.util.net.jsse.openssl:
>
>>> OpenSSLCipherConfigurationParser etc.
>
>>>>
>>>> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 [2]
>>>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html [3]
>>>> https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
>
>>> Best regards, Konstantin Kolinko
>
>>> ---------------------------------------------------------------------
>
>>>
>>>
>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>>> ---------------------------------------------------------------------
>
>>>
>>>
>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: useServerCipherSuitesOrder in 7.0.62
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
George,
On 6/24/15 11:31 AM, George Stanchev wrote:
> (Apologies for top posting, I cannot find a way to switch to ">"
> quote for Outook)
No problem.
> Having an utility is interesting idea but it will not address the
> regular expression rules that OpenSSL support. For example, I was
> porting Mozilla's Server Side TLS ciphers [1] to our 7.0.62 the
> other day and at the end you have:
>
> "...:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!
aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
>
>
>
So after mapping all the explicit ones before, I had to go and look
> for rest of AES suites, then exclude the export suites, ignore the
> RC4s, etc, etc.I did it, kinda but it was pain in the neck and it
> is really not the same rule list.
>
> Can you point me to the code where 8 and the trunk deal with this?
> It is not really that big of a deal to not have it since once you
> set your list you don't touch it until the next security scare, but
> since it is security related, I thought it would benefit people to
> be able to have more flexibility on the cipher definitions and
> might be worth backporting.
You are looking for
org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser
There are some related files (like Cipher.java), but start in that
class right there. I think a simple driver class could take an
OpenSSL-style cipher string and dump-out the JSSE-compatible
(expanded) cipher suites string.
- -chris
>
> Regards, George
>
> [1]
> https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compati
bility_.28default.29
>
>
>
- -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: Wednesday, June 24,
> 2015 8:37 AM To: Tomcat Users List Subject: Re:
> useServerCipherSuitesOrder in 7.0.62
>
> George,
>
> On 6/15/15 10:08 AM, George Stanchev wrote:
>> Is there any chance for the OpenSSL-style ciphers to be
>> backported to the 7 release line?
>
> I'm not sure. The biggest problem with the OpenSSL-style ciphers
> is maintaining the mapping, which might change with every release
> of Java and/or OpenSSL. Maintaining it in Tomcat's trunk and 8 is
> already double the work... adding Tomcat 7 is even more work.
>
> I think what might make sense is to wrap a command-line program
> around the trunk/8.0.x utility that does the mapping to build
> something like OpenSSL's "ciphers" command, but that dumps-out
> JSSE-style cipher suites .
>
> Then that could be used independently of any version of Tomcat for
> those versions that don't directly-support the openssl-style
> cipher suites configuration.
>
> What do you think?
>
> Another possibility would be to maintain the mapping somewhere
> other than code (where it currently is), and then share that
> mapping between the various versions, perhaps using svn external
> links. Then the maping gets updated in a single place and all
> supporting versions of Tomcat can pick it up.
>
> I'll defer to markt who mostly wrote the OpenSSL-JSSE bridge code
> to decide if that might work.
>
> -chris
>
>> -----Original Message----- From: George Stanchev
>> [mailto:Gstanchev@serena.com] Sent: Saturday, June 13, 2015
>> 11:41 AM To: Tomcat Users List Subject: RE:
>> useServerCipherSuitesOrder in 7.0.62
>
>> Thanks Konstantin,
>
>> I apologize for the shortsightness. I guess I must have had a
>> space in the search dialog. Thanks for the answers!
>
>> Cheers,
>
>> George
>
>> -----Original Message----- From: Konstantin Kolinko
>> [mailto:knst.kolinko@gmail.com] Sent: Saturday, June 13, 2015
>> 7:26 AM To: Tomcat Users List Subject: Re:
>> useServerCipherSuitesOrder in 7.0.62
>
>> 2015-06-13 15:36 GMT+03:00 George Stanchev
>> <Gs...@serena.com>:
>>> Hi,
>>>
>>> I was looking at [1] and it looks the new attribute is
>>> available in 7.0.61 onwards as per Violeta's comment. However I
>>> cannot find this new attribute in the HTTP connector
>>> documentation [2] nor the changelog [3]. Can someone confirm or
>>> deny the availability of this attribute
>>> (useServerCipherSuitesOrder) in Tomcat 7.0.62.
>
>
>> #55988 [1] is mentioned in the changelog, twice (7.0.61,
>> 7.0.60).
>
>> "useServerCipherSuitesOrder" is mentioned in [2] (in "SSL Support
>> - BIO and NIO" section).
>
>> Note that this feature requires running with Java 8.
>
>
>>> As a follow up question, I seem to remember that 8.0.latest
>>> supports OpenSSL-style list for the HTTP connector "ciphers"
>>> attribute. Does 7.0.62 also support this or it wasn't
>>> backported?
>
>
>> It was not backported.
>
>> Relevant classes are in package
>> org.apache.tomcat.util.net.jsse.openssl:
>
>> OpenSSLCipherConfigurationParser etc.
>
>>>
>>> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 [2]
>>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html [3]
>>> https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
>
>> Best regards, Konstantin Kolinko
>
>> ---------------------------------------------------------------------
>
>>
>>
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>>
>>
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVitL8AAoJEBzwKT+lPKRY1ekQAMZYTBrATjA//wmpXXhWBNuq
QiRkJglrFM5iWY77BL8G4t5943bGhd9QN5D7tK2aNuRFjdaA9XnjkKF0nvLX+w33
2pZLx7X4sbW307fetNB8SHdZtrz5LD50x6aQCMPw0Ba0mrf3e3RTnEhFI4J14iYx
nFxLFtyocOtS32NbPfpNn3JAabHgFmeGZkGAOvixdKk4daIgQBC3TU/HPFh8gyow
0fMuSrpOl+BYxMpddyohitgOcKgbOtANx/rnbp0Gyl7/Z+xEB4GwsoY3s/dFWTNU
BmLbmLQprHlJ/UdmN5ar7DOpE6h73u1vypKyJTEEYZ/aGD0vZ5kQhV8m02HhLxoU
xSYYDMYG/6Sr4IAUWCtj0McdCXtenkDvVlMLrstrB63WsHruKfz9JKnggdbCI4EI
OkSB/0MhVqefSzGN0DkjOyTkZvMBD+1nHwm+3S6lXtn4FWmJ2TTKBqymr8XxUH3y
ZKj/BWvEBzkCB8xSAUq1Wzych2yvG2uwhjE93F1s8lE5J7/FiXmIxumMRDWRwAiQ
PJ4uK63nT66OR5gqMz/hesmTWVo0P5/B3nqzGV4pXkhn/gR4ZjcZ9a2tT++iZ8zT
wXvtN+g+cOPedD+Q6Wia1EWNx0OtAp5SUHRD2Th7j434AAZee5ud9QQzqBdngqhr
sxKbW2VDRqmjJTDCQmWF
=17op
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: useServerCipherSuitesOrder in 7.0.62
Posted by George Stanchev <Gs...@serena.com>.
Hi Christopher,
(Apologies for top posting, I cannot find a way to switch to ">" quote for Outook)
Having an utility is interesting idea but it will not address the regular expression rules that OpenSSL support. For example, I was porting Mozilla's Server Side TLS ciphers [1] to our 7.0.62 the other day and at the end you have:
"...:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
So after mapping all the explicit ones before, I had to go and look for rest of AES suites, then exclude the export suites, ignore the RC4s, etc, etc.I did it, kinda but it was pain in the neck and it is really not the same rule list.
Can you point me to the code where 8 and the trunk deal with this? It is not really that big of a deal to not have it since once you set your list you don't touch it until the next security scare, but since it is security related, I thought it would benefit people to be able to have more flexibility on the cipher definitions and might be worth backporting.
Regards,
George
[1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, June 24, 2015 8:37 AM
To: Tomcat Users List
Subject: Re: useServerCipherSuitesOrder in 7.0.62
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
George,
On 6/15/15 10:08 AM, George Stanchev wrote:
> Is there any chance for the OpenSSL-style ciphers to be backported to
> the 7 release line?
I'm not sure. The biggest problem with the OpenSSL-style ciphers is maintaining the mapping, which might change with every release of Java and/or OpenSSL. Maintaining it in Tomcat's trunk and 8 is already double the work... adding Tomcat 7 is even more work.
I think what might make sense is to wrap a command-line program around the trunk/8.0.x utility that does the mapping to build something like OpenSSL's "ciphers" command, but that dumps-out JSSE-style cipher suites .
Then that could be used independently of any version of Tomcat for those versions that don't directly-support the openssl-style cipher suites configuration.
What do you think?
Another possibility would be to maintain the mapping somewhere other than code (where it currently is), and then share that mapping between the various versions, perhaps using svn external links. Then the maping gets updated in a single place and all supporting versions of Tomcat can pick it up.
I'll defer to markt who mostly wrote the OpenSSL-JSSE bridge code to decide if that might work.
- -chris
> -----Original Message----- From: George Stanchev
> [mailto:Gstanchev@serena.com] Sent: Saturday, June 13, 2015 11:41 AM
> To: Tomcat Users List Subject: RE: useServerCipherSuitesOrder in
> 7.0.62
>
> Thanks Konstantin,
>
> I apologize for the shortsightness. I guess I must have had a space in
> the search dialog. Thanks for the answers!
>
> Cheers,
>
> George
>
> -----Original Message----- From: Konstantin Kolinko
> [mailto:knst.kolinko@gmail.com] Sent: Saturday, June 13, 2015 7:26 AM
> To: Tomcat Users List Subject: Re: useServerCipherSuitesOrder in
> 7.0.62
>
> 2015-06-13 15:36 GMT+03:00 George Stanchev <Gs...@serena.com>:
>> Hi,
>>
>> I was looking at [1] and it looks the new attribute is available in
>> 7.0.61 onwards as per Violeta's comment. However I cannot find this
>> new attribute in the HTTP connector documentation [2] nor the
>> changelog [3]. Can someone confirm or deny the availability of this
>> attribute (useServerCipherSuitesOrder) in Tomcat 7.0.62.
>
>
> #55988 [1] is mentioned in the changelog, twice (7.0.61, 7.0.60).
>
> "useServerCipherSuitesOrder" is mentioned in [2] (in "SSL Support
> - BIO and NIO" section).
>
> Note that this feature requires running with Java 8.
>
>
>> As a follow up question, I seem to remember that 8.0.latest supports
>> OpenSSL-style list for the HTTP connector "ciphers"
>> attribute. Does 7.0.62 also support this or it wasn't backported?
>
>
> It was not backported.
>
> Relevant classes are in package
> org.apache.tomcat.util.net.jsse.openssl:
>
> OpenSSLCipherConfigurationParser etc.
>
>>
>> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 [2]
>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html [3]
>> https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
>
> Best regards, Konstantin Kolinko
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVisCdAAoJEBzwKT+lPKRYDlAP/iKygYxuv7ie4h2HG16FUu3H
3EJ/f3mAVfsG/Z+Kwd3nGuC44vFTyLENWoRp0fBM6+0Awooe1uryFbKnFKy4ooJ/
ciLEo7cobKZmpbaeRbOIqxOrdXw66Z2uSeGoZ5pDXvAR23AObiW22ccereFcK3KF
n027QdKzpn9TWn4rK4DLxD3gjv5NzZzZFxVdX+tMp36VxJIii+r8q8QiQzB8nssW
F3yYjPHFFo+hP038hK9Pbc5M5CQvvSiU76HrxLOhEIM0YLKvsuf6PKffYCgF63ip
Vqg+ctY8JotBkCpsBZ7s+lVxP0MTnzDoP8bVJdUU2/xJO5p3dOz2jUd3LaCVPNoy
K/rMqGO3PiXw0ip3fkSXxxQX1q/iR1N3sosjMqcq0kyiJKvjzu7wwNktF4asIeMj
Xagj6oepH0yaHTuVBz8NLaynBOoKmxQmpL8CuBBLtxkzSxDisWroTcdlDrwE4zo5
gKPKofW6T7j21cTB2xWC/DrPWmE/7L7HvglLEPy7+mcSQtG1cGwG9VKRlb0kTrv9
Y95a7AbjWFbYSD6I9Ur7mom8ZQv1B1L1su05pMQYRqWKyOmKWjYhUS73c0AQsGKi
ZEYH2aQ3v6/e7jUrEmmUxM8dBRvTjjOtTIKdX8uRSYSRWQkSGTfP4sJFRuARX476
asRVs+Uiyz2o9npMbaLj
=D15s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: useServerCipherSuitesOrder in 7.0.62
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
George,
On 6/15/15 10:08 AM, George Stanchev wrote:
> Is there any chance for the OpenSSL-style ciphers to be backported
> to the 7 release line?
I'm not sure. The biggest problem with the OpenSSL-style ciphers is
maintaining the mapping, which might change with every release of Java
and/or OpenSSL. Maintaining it in Tomcat's trunk and 8 is already
double the work... adding Tomcat 7 is even more work.
I think what might make sense is to wrap a command-line program around
the trunk/8.0.x utility that does the mapping to build something like
OpenSSL's "ciphers" command, but that dumps-out JSSE-style cipher suites
.
Then that could be used independently of any version of Tomcat for
those versions that don't directly-support the openssl-style cipher
suites configuration.
What do you think?
Another possibility would be to maintain the mapping somewhere other
than code (where it currently is), and then share that mapping between
the various versions, perhaps using svn external links. Then the
maping gets updated in a single place and all supporting versions of
Tomcat can pick it up.
I'll defer to markt who mostly wrote the OpenSSL-JSSE bridge code to
decide if that might work.
- -chris
> -----Original Message----- From: George Stanchev
> [mailto:Gstanchev@serena.com] Sent: Saturday, June 13, 2015 11:41
> AM To: Tomcat Users List Subject: RE: useServerCipherSuitesOrder
> in 7.0.62
>
> Thanks Konstantin,
>
> I apologize for the shortsightness. I guess I must have had a
> space in the search dialog. Thanks for the answers!
>
> Cheers,
>
> George
>
> -----Original Message----- From: Konstantin Kolinko
> [mailto:knst.kolinko@gmail.com] Sent: Saturday, June 13, 2015 7:26
> AM To: Tomcat Users List Subject: Re: useServerCipherSuitesOrder
> in 7.0.62
>
> 2015-06-13 15:36 GMT+03:00 George Stanchev <Gs...@serena.com>:
>> Hi,
>>
>> I was looking at [1] and it looks the new attribute is available
>> in 7.0.61 onwards as per Violeta's comment. However I cannot
>> find this new attribute in the HTTP connector documentation [2]
>> nor the changelog [3]. Can someone confirm or deny the
>> availability of this attribute (useServerCipherSuitesOrder) in
>> Tomcat 7.0.62.
>
>
> #55988 [1] is mentioned in the changelog, twice (7.0.61, 7.0.60).
>
> "useServerCipherSuitesOrder" is mentioned in [2] (in "SSL Support
> - BIO and NIO" section).
>
> Note that this feature requires running with Java 8.
>
>
>> As a follow up question, I seem to remember that 8.0.latest
>> supports OpenSSL-style list for the HTTP connector "ciphers"
>> attribute. Does 7.0.62 also support this or it wasn't
>> backported?
>
>
> It was not backported.
>
> Relevant classes are in package
> org.apache.tomcat.util.net.jsse.openssl:
>
> OpenSSLCipherConfigurationParser etc.
>
>>
>> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 [2]
>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html [3]
>> https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
>
> Best regards, Konstantin Kolinko
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVisCdAAoJEBzwKT+lPKRYDlAP/iKygYxuv7ie4h2HG16FUu3H
3EJ/f3mAVfsG/Z+Kwd3nGuC44vFTyLENWoRp0fBM6+0Awooe1uryFbKnFKy4ooJ/
ciLEo7cobKZmpbaeRbOIqxOrdXw66Z2uSeGoZ5pDXvAR23AObiW22ccereFcK3KF
n027QdKzpn9TWn4rK4DLxD3gjv5NzZzZFxVdX+tMp36VxJIii+r8q8QiQzB8nssW
F3yYjPHFFo+hP038hK9Pbc5M5CQvvSiU76HrxLOhEIM0YLKvsuf6PKffYCgF63ip
Vqg+ctY8JotBkCpsBZ7s+lVxP0MTnzDoP8bVJdUU2/xJO5p3dOz2jUd3LaCVPNoy
K/rMqGO3PiXw0ip3fkSXxxQX1q/iR1N3sosjMqcq0kyiJKvjzu7wwNktF4asIeMj
Xagj6oepH0yaHTuVBz8NLaynBOoKmxQmpL8CuBBLtxkzSxDisWroTcdlDrwE4zo5
gKPKofW6T7j21cTB2xWC/DrPWmE/7L7HvglLEPy7+mcSQtG1cGwG9VKRlb0kTrv9
Y95a7AbjWFbYSD6I9Ur7mom8ZQv1B1L1su05pMQYRqWKyOmKWjYhUS73c0AQsGKi
ZEYH2aQ3v6/e7jUrEmmUxM8dBRvTjjOtTIKdX8uRSYSRWQkSGTfP4sJFRuARX476
asRVs+Uiyz2o9npMbaLj
=D15s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: useServerCipherSuitesOrder in 7.0.62
Posted by George Stanchev <Gs...@serena.com>.
Is there any chance for the OpenSSL-style ciphers to be backported to the 7 release line?
-----Original Message-----
From: George Stanchev [mailto:Gstanchev@serena.com]
Sent: Saturday, June 13, 2015 11:41 AM
To: Tomcat Users List
Subject: RE: useServerCipherSuitesOrder in 7.0.62
Thanks Konstantin,
I apologize for the shortsightness. I guess I must have had a space in the search dialog. Thanks for the answers!
Cheers,
George
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: Saturday, June 13, 2015 7:26 AM
To: Tomcat Users List
Subject: Re: useServerCipherSuitesOrder in 7.0.62
2015-06-13 15:36 GMT+03:00 George Stanchev <Gs...@serena.com>:
> Hi,
>
> I was looking at [1] and it looks the new attribute is available in 7.0.61 onwards as per Violeta's comment. However I cannot find this new attribute in the HTTP connector documentation [2] nor the changelog [3]. Can someone confirm or deny the availability of this attribute (useServerCipherSuitesOrder) in Tomcat 7.0.62.
#55988 [1] is mentioned in the changelog, twice (7.0.61, 7.0.60).
"useServerCipherSuitesOrder" is mentioned in [2] (in "SSL Support - BIO and NIO" section).
Note that this feature requires running with Java 8.
> As a follow up question, I seem to remember that 8.0.latest supports OpenSSL-style list for the HTTP connector "ciphers" attribute. Does 7.0.62 also support this or it wasn't backported?
It was not backported.
Relevant classes are in
package org.apache.tomcat.util.net.jsse.openssl:
OpenSSLCipherConfigurationParser etc.
>
> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988
> [2] https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
> [3] https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: useServerCipherSuitesOrder in 7.0.62
Posted by George Stanchev <Gs...@serena.com>.
Thanks Konstantin,
I apologize for the shortsightness. I guess I must have had a space in the search dialog. Thanks for the answers!
Cheers,
George
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: Saturday, June 13, 2015 7:26 AM
To: Tomcat Users List
Subject: Re: useServerCipherSuitesOrder in 7.0.62
2015-06-13 15:36 GMT+03:00 George Stanchev <Gs...@serena.com>:
> Hi,
>
> I was looking at [1] and it looks the new attribute is available in 7.0.61 onwards as per Violeta's comment. However I cannot find this new attribute in the HTTP connector documentation [2] nor the changelog [3]. Can someone confirm or deny the availability of this attribute (useServerCipherSuitesOrder) in Tomcat 7.0.62.
#55988 [1] is mentioned in the changelog, twice (7.0.61, 7.0.60).
"useServerCipherSuitesOrder" is mentioned in [2] (in "SSL Support - BIO and NIO" section).
Note that this feature requires running with Java 8.
> As a follow up question, I seem to remember that 8.0.latest supports OpenSSL-style list for the HTTP connector "ciphers" attribute. Does 7.0.62 also support this or it wasn't backported?
It was not backported.
Relevant classes are in
package org.apache.tomcat.util.net.jsse.openssl:
OpenSSLCipherConfigurationParser etc.
>
> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988
> [2] https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
> [3] https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: useServerCipherSuitesOrder in 7.0.62
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-06-13 15:36 GMT+03:00 George Stanchev <Gs...@serena.com>:
> Hi,
>
> I was looking at [1] and it looks the new attribute is available in 7.0.61 onwards as per Violeta's comment. However I cannot find this new attribute in the HTTP connector documentation [2] nor the changelog [3]. Can someone confirm or deny the availability of this attribute (useServerCipherSuitesOrder) in Tomcat 7.0.62.
#55988 [1] is mentioned in the changelog, twice (7.0.61, 7.0.60).
"useServerCipherSuitesOrder" is mentioned in [2] (in "SSL Support -
BIO and NIO" section).
Note that this feature requires running with Java 8.
> As a follow up question, I seem to remember that 8.0.latest supports OpenSSL-style list for the HTTP connector "ciphers" attribute. Does 7.0.62 also support this or it wasn't backported?
It was not backported.
Relevant classes are in
package org.apache.tomcat.util.net.jsse.openssl:
OpenSSLCipherConfigurationParser etc.
>
> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988
> [2] https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
> [3] https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org