You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/03/04 20:48:45 UTC

[Bug 59120] New: The protocol "TLS" has different interpretation in different JRE, better use "SSL"

https://bz.apache.org/bugzilla/show_bug.cgi?id=59120

            Bug ID: 59120
           Summary: The protocol "TLS" has different interpretation in
                    different JRE, better use "SSL"
           Product: Tomcat 8
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: WebSocket
          Assignee: dev@tomcat.apache.org
          Reporter: caijunj@apache.org

In the class [1], its createSSLEngine() method uses the protocol name "TLS" to
get an SSL context. However, different JREs have different interpretation for
this protocol name. For example, Oracle/OpenJDK interprets it as "Supports some
version of TLS; may support other versions" [2], while IBM JDK interprets it as
"TLS v1.0 protocol" [3]. As TLS v1.0 is quickly getting deprecated, a more
general protocol name should be used, like "SSL". Based on my test, when "SSL"
is used to get the SSL context, both the Oracle/OpenJDK and IBM JDK use TLSv1.2
to make the connection.

This issue also applies to other Tomcat versions.

[1]
http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
[2]
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
[3]
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/protocols.html?lang=en

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59120] The protocol "TLS" has different interpretation in different JRE, better use "SSL"

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59120

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
OK, that isn't going to work.

I've done some testing with Oracle's JVM and the protocol used only determines
the protocols enabled by default. All protocols remain supported and may be
selected via org.apache.tomcat.websocket.SSL_PROTOCOLS.

I tried to test a current IBM JVM but downloads require a registration and the
registration is broken. I then tried to downlaod without registration and the
IBM download director hangs.

I managed to dig out an oldish IBM Java 8 install for Linux and a quick test
shows that it behaves the same way as Oracle.

There is no Tomcat issue here. Defaults will vary with platforms. You need to
use org.apache.tomcat.websocket.SSL_PROTOCOL to configure the protocols you
actually want to use.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59120] The protocol "TLS" has different interpretation in different JRE, better use "SSL"

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59120

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
The documentation you quote is not consistent with the claims you make
regarding SSL being more general.

Part of the problem is that this code has to work across multiple Java versions
and multiple vendors and the respective behaviours are not always identical.

There is always the option to provide your own, pre-configured SSLContext.

Typically, I'd expect this value to not matter and the value obtained from
org.apache.tomcat.websocket.SSL_PROTOCOLS to be much more important.

One of the reasons for allowing a custom SSLContext was to avoid the
mushrooming of TLS ocnfiguration options.

I'm going to change this code to use SSLContext.getDefault() as that should
return a good, secure choice on any OS / Vendor / Java version combination.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59120] The protocol "TLS" has different interpretation in different JRE, better use "SSL"

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59120

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|REOPENED                    |RESOLVED

--- Comment #4 from Mark Thomas <ma...@apache.org> ---
Further questions should be directed to the users@ mailing list.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59120] The protocol "TLS" has different interpretation in different JRE, better use "SSL"

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59120

Jack <ca...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|INVALID                     |---
             Status|RESOLVED                    |REOPENED

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59120] The protocol "TLS" has different interpretation in different JRE, better use "SSL"

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59120

--- Comment #3 from Jack <ca...@apache.org> ---
When you say "it behaves the same way as Oracle", did you mean the
communication used the same TLS version? From my test (by setting
-Djavax.net.debug=ssl) Oracle uses TLS v1.2, and IBM uses TLS v1.0.

I think it's probably better to use SSLContext.getDefault() as you suggested in
Comment #1 as THE DEFAULT, and then allow people to use
org.apache.tomcat.websocket.SSL_PROTOCOLS to override. That way people can also
use common JDK options like -Djdk.tls.client.protocols [1] to override.


[1]
https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org