You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Marc Dorsa <md...@overlandstorage.com> on 2017/08/09 00:08:18 UTC
RE: Problem enabling SSLv3 in Tomcat 8.5.15
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Wednesday, June 21, 2017 2:31 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Problem enabling SSLv3 in Tomcat 8.5.15
On 21/06/17 19:04, Marc Dorsa wrote:
>> Hi Tomcat Users,
>>
>> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A 3rd-party component of our product requires SSLv3 and there's no getting around it!) Our Tomcat is running on a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131. Note that I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled when running our existing Tomcat 7.0.47. My guess is that I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig element to include "SSLv3" should do the job.
>>
>> Thank you in advance for any help offered!
>
> 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3.
>
> The docs need to be updated to reflect that. Also the migration guide.
>
> I've done some svn archaeology and this change was introduced during
> the refactoring that added support for SNI, ALPN and multiple certificates.
> Originally, the removal of SSLv2 and SSLv3 was only for the default
> protocols (as it currently is in 8.0.x and earlier). During the
> refactoring, the filtering effectively switched to applying to the
> supported protocols.
>
> A warning is logged during start-up that an unsupported protocol has
> been requested.
>
> Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM
> used also supports it.
>
> Given the inherent insecurities in SSLv3, I don't like the message
> re-enabling sends. On the other hand, it drives me mad when software
> blocks something because it thinks it knows best rather then letting
> me judge the risk and make the decision for myself.
>
> I'm therefore leaning towards allowing SSLv3 to be requested but
> logging a clear warning if it is.
>
> Mark
> ----------------------------------
>
> Thank you Mark for clarifying that SSLv3 is *not* supported (at all)
> in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat docs),
> I could have saved days of research and experimentation. :-(
SSLv3 will be available (not by default and using it will result in a warning in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the releases currently in progress but the next ones in around a month's time).
Mark
------------------------------
Hi Mark,
When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled? (This feature is critical for our product and is needed ASAP.)
Thank you,
Marc
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
Posted by Marc Dorsa <md...@overlandstorage.com>.
> Hi Mark,
>
> When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled? (This feature is critical for our product and is needed ASAP.)
Releases are typically monthly.
We've had a patch of regressions in releases which has delayed things
for the July release.
The August release vote passed yesterday and I expect to be making the
formal announcement later today.
Mark
----------------------------------
Thanks Mark,
FYI, I've tested and verified SSLv3 works in Tomcat 8.5.20.
I'm a happy camper. :)
Marc
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem enabling SSLv3 in Tomcat 8.5.15
Posted by Mark Thomas <ma...@apache.org>.
<snip/>
> Hi Mark,
>
> When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled? (This feature is critical for our product and is needed ASAP.)
Releases are typically monthly.
We've had a patch of regressions in releases which has delayed things
for the July release.
The August release vote passed yesterday and I expect to be making the
formal announcement later today.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org