You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jeffrey Janner <Je...@PolyDyne.com> on 2014/10/17 19:12:43 UTC
Anyway to enable just all TLS protocols in APR connector?
Documentation for the APR connector says setting SSLProtocol="all" (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1 and TLSv1.2 as well. However, it only seems to accept SSLProtocol strings that includes TLSv1, SSLv2, SSLv3 or their combinations. In other words, there doesn't seem to be a way to specify that you only want all 3 TLS versions and none of the SSL versions. Is there something I'm missing?
FYI: I checked Bugzilla on this, and there seems to be some work progressing on coding support, but it also interjected a regression to turn SSLv2 back on by default.
The question is, if there is no current "magic string" that Tomcat will accept to enable full TLS support, is this something we will have to wait for 7.0.57 (and the equivalent 6 & 8 versions) to be able to address?
Jeffrey Janner
Re: Anyway to enable just all TLS protocols in APR connector?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jeffrey,
On 10/17/14 4:20 PM, Jeffrey Janner wrote:
>> -----Original Message----- From: Jeffrey Janner
>> [mailto:Jeffrey.Janner@PolyDyne.com] Sent: Friday, October 17,
>> 2014 3:04 PM To: 'Tomcat Users List' Subject: RE: Anyway to
>> enable just all TLS protocols in APR connector?
>>
>>> -----Original Message----- From: Christopher Schultz
>>> [mailto:chris@christopherschultz.net] Sent: Friday, October 17,
>>> 2014 12:26 PM To: Tomcat Users List Subject: Re: Anyway to
>>> enable just all TLS protocols in APR connector?
>>>
> Jeffrey,
>
> On 10/17/14 1:12 PM, Jeffrey Janner wrote:
>>>>> Documentation for the APR connector says setting
>>>>> SSLProtocol="all" (the default) enables TLSv1+SSLv3, but
>>>>> actually enables TLSv1.1 and TLSv1.2 as well.
>
> Why do you think that's the case?
>>>
>>> Qualys/SSLLabs reports it as such. Using tomcat 7.0.50 and
>>> latest APR build.
>>>
>
>>>>> However, it only seems to accept SSLProtocol strings that
>>>>> includes TLSv1, SSLv2, SSLv3 or their combinations.
>
> Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are
> patched; expect new builds soon.
>
>>>>> In other words, there doesn't seem to be a way to specify
>>>>> that you only want all 3 TLS versions and none of the SSL
>>>>> versions. Is there something I'm missing?
>
> Nope.
>
>>>>> FYI: I checked Bugzilla on this, and there seems to be some
>>>>> work progressing on coding support, but it also interjected
>>>>> a regression to turn SSLv2 back on by default.
>
> This can happen in certain situations, like saying that you want
> TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that
> case, you get SSLv23 which I believe in OpenSSL means "SSLv3 +
> SSLv2Hello" which is only as dangerous as SSLv3 right now.
>>>
>>> Actually, I was looking at the most recent patch code. It
>>> actually modified to definition of ALL to include SSLv2. I
>>> pointed it out on Bugzilla, but thought I'd mention it here as
>>> well.
>>>
>
>> Chris, when I said most recent, I meant latest posted to the
>> Bugzilla entry when I read it. Just reviewed it again and see
>> that's not the patch you guys are implementing.
Can you check tcnative 1.1.x branch in subversion and Tomcat 7 or 8 in
subversion and let me know how they work for you (or don't)? No reason
to wait until there is an official build for testing.
>>>>> The question is, if there is no current "magic string" that
>>>>> Tomcat will accept to enable full TLS support, is this
>>>>> something we will have to wait for 7.0.57 (and the
>>>>> equivalent 6 & 8 versions) to be able to address?
>
> Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as
> well.
>>>
>>> With baited breath, but not holding it.
It should be coming soon. I think markt is going to single-handedly
tag+release 3 Tomcat versions plus tcnative on all platforms. ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUQbsOAAoJEBzwKT+lPKRY29gQAJSfQVB6TsOE525cBujaq8y9
44YUPvjt5zruLiqfdQ7+vyRuEqXlpv7YbFS/wjsc88utmwX0zi/Fqm0NKPljoiV0
7PtIcqiNvOCrNW85aS1W7R9lg6ZkWnSvKrXRw/Dm4gb8X+FAuFOecg/kiWVW0qsj
nGr8+MBDVFvWcqwtFhuuQ4Y4Kz4sgaJez9AE1f9QGnYGqck3P7Q9zhJDUYI0lMGv
NDaG/MQ5B1ZsZR7iIui5MYclJUiTNPgMGX5Sixl23w//mXpAH6h80+Rn4rK5+PTi
SwmC2QVpSsed4pxQM1bQdtqg77mDfqMG1kGfeRGwRNQvMIi/q1FDk/rAfrV6wXKK
Ayf+/2ihPl1wuKiguNgCWgae1yceHoTIv4mQQtz5Jp6HDjElmw73cf7mEa0DhYp5
YKdANYoFip1fS0+YEbmKVEkFWCYeSgxml8Vlvlw4X52FOwWoP/FA7+kXxq1DLkqq
qK+gEFF+0CkF1DoGENn9sqUsjYfcmKowmDBfXMHCz6ETMIWgnS96HnDh9OS+IUmk
HNonOr3WLSTGlsYZLnO945IQe+KLxQ6SBxYphBK1uCwo7ds5MNgDrLvBntbBerWZ
NFbSuNmJb9Ky2i+YPQopM623zrVdmbinM/pmtZUZUfKMv8zKWX7jllinXoL5dqf5
I7PHb1LBweRF69cWqMtQ
=alzf
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Anyway to enable just all TLS protocols in APR connector?
Posted by Jeffrey Janner <Je...@PolyDyne.com>.
> -----Original Message-----
> From: Jeffrey Janner [mailto:Jeffrey.Janner@PolyDyne.com]
> Sent: Friday, October 17, 2014 3:04 PM
> To: 'Tomcat Users List'
> Subject: RE: Anyway to enable just all TLS protocols in APR connector?
>
> > -----Original Message-----
> > From: Christopher Schultz [mailto:chris@christopherschultz.net]
> > Sent: Friday, October 17, 2014 12:26 PM
> > To: Tomcat Users List
> > Subject: Re: Anyway to enable just all TLS protocols in APR connector?
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Jeffrey,
> >
> > On 10/17/14 1:12 PM, Jeffrey Janner wrote:
> > > Documentation for the APR connector says setting SSLProtocol="all"
> > > (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1
> > > and TLSv1.2 as well.
> >
> > Why do you think that's the case?
>
> Qualys/SSLLabs reports it as such. Using tomcat 7.0.50 and latest APR build.
>
> >
> > > However, it only seems to accept SSLProtocol strings that includes
> > > TLSv1, SSLv2, SSLv3 or their combinations.
> >
> > Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched;
> > expect new builds soon.
> >
> > > In other words, there doesn't seem to be a way to specify that you
> > > only want all 3 TLS versions and none of the SSL versions. Is
> > > there something I'm missing?
> >
> > Nope.
> >
> > > FYI: I checked Bugzilla on this, and there seems to be some work
> > > progressing on coding support, but it also interjected a
> > > regression to turn SSLv2 back on by default.
> >
> > This can happen in certain situations, like saying that you want
> > TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that
> > case, you get SSLv23 which I believe in OpenSSL means "SSLv3 +
> > SSLv2Hello" which is only as dangerous as SSLv3 right now.
>
> Actually, I was looking at the most recent patch code. It actually modified to
> definition of ALL to include SSLv2.
> I pointed it out on Bugzilla, but thought I'd mention it here as well.
>
Chris, when I said most recent, I meant latest posted to the Bugzilla entry when I read it.
Just reviewed it again and see that's not the patch you guys are implementing.
> >
> > > The question is, if there is no current "magic string" that Tomcat
> > > will accept to enable full TLS support, is this something we will
> > > have to wait for 7.0.57 (and the equivalent 6 & 8 versions) to be
> > > able to address?
> >
> > Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well.
>
> With baited breath, but not holding it.
>
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> >
> >
> iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4o
> > X1
> >
> hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwp
> > ousdYwar
> >
> /+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1r
> > R4bg
> >
> s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY
> > /
> >
> pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxM
> > ncpC
> >
> PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3j
> > ddky
> >
> kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw
> > 6
> >
> bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5
> > Q
> >
> Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL
> > 5w
> >
> /OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjN
> > c
> >
> e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmx
> > w
> > PNSWuKf02X3tAJ7ZnDGY
> > =tLZz
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
> �B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> KKKKKKKKKKKKKCB����[��X��ܚX�K��K[XZ[
>
> ��\�\��][��X��ܚX�P���X�]
> �\�X��K�ܙ�B��܈�Y��]�[ۘ[����[X[�����K[XZ[
>
> ��\�\��Z�[�����X�]
> �\�X��K�ܙ�B�
RE: Anyway to enable just all TLS protocols in APR connector?
Posted by Jeffrey Janner <Je...@PolyDyne.com>.
> -----Original Message-----
> From: André Warnier [mailto:aw@ice-sa.com]
> Sent: Friday, October 17, 2014 3:59 PM
> To: Tomcat Users List
> Subject: Re: Anyway to enable just all TLS protocols in APR connector?
>
> Bob Hall wrote:
> > On Friday, October 17, 2014 1:05 PM, Jeffrey Janner
> <Je...@PolyDyne.com> wrote:
> >
> >
> >
> >
> >> With baited breath, but not holding it.
> >
> > Should be "bated breath".
> >
>
> But perhaps, dear Bob, Jeffrey meant exactly what he wrote.
> Having posted to the list and expecting a response,
> he rested with a glass of milk,
> waiting for the Tomcat to pounce.
>
>
I shall defer to those perhaps wiser than moi:
http://www.worldwidewords.org/qa/qa-bai1.htm
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Anyway to enable just all TLS protocols in APR connector?
Posted by André Warnier <aw...@ice-sa.com>.
Bob Hall wrote:
> On Friday, October 17, 2014 1:05 PM, Jeffrey Janner <Je...@PolyDyne.com> wrote:
>
>
>
>
>> With baited breath, but not holding it.
>
> Should be "bated breath".
>
But perhaps, dear Bob, Jeffrey meant exactly what he wrote.
Having posted to the list and expecting a response,
he rested with a glass of milk,
waiting for the Tomcat to pounce.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Anyway to enable just all TLS protocols in APR connector?
Posted by Bob Hall <rf...@yahoo.com.INVALID>.
On Friday, October 17, 2014 1:05 PM, Jeffrey Janner <Je...@PolyDyne.com> wrote:
> With baited breath, but not holding it.
Should be "bated breath".
- Bob
RE: Anyway to enable just all TLS protocols in APR connector?
Posted by Jeffrey Janner <Je...@PolyDyne.com>.
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Friday, October 17, 2014 12:26 PM
> To: Tomcat Users List
> Subject: Re: Anyway to enable just all TLS protocols in APR connector?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Jeffrey,
>
> On 10/17/14 1:12 PM, Jeffrey Janner wrote:
> > Documentation for the APR connector says setting SSLProtocol="all"
> > (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1
> > and TLSv1.2 as well.
>
> Why do you think that's the case?
Qualys/SSLLabs reports it as such. Using tomcat 7.0.50 and latest APR build.
>
> > However, it only seems to accept SSLProtocol strings that includes
> > TLSv1, SSLv2, SSLv3 or their combinations.
>
> Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched;
> expect new builds soon.
>
> > In other words, there doesn't seem to be a way to specify that you
> > only want all 3 TLS versions and none of the SSL versions. Is
> > there something I'm missing?
>
> Nope.
>
> > FYI: I checked Bugzilla on this, and there seems to be some work
> > progressing on coding support, but it also interjected a
> > regression to turn SSLv2 back on by default.
>
> This can happen in certain situations, like saying that you want
> TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that
> case, you get SSLv23 which I believe in OpenSSL means "SSLv3 +
> SSLv2Hello" which is only as dangerous as SSLv3 right now.
Actually, I was looking at the most recent patch code. It actually modified to definition of ALL to include SSLv2.
I pointed it out on Bugzilla, but thought I'd mention it here as well.
>
> > The question is, if there is no current "magic string" that Tomcat
> > will accept to enable full TLS support, is this something we will
> > have to wait for 7.0.57 (and the equivalent 6 & 8 versions) to be
> > able to address?
>
> Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well.
With baited breath, but not holding it.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4o
> X1
> hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwp
> ousdYwar
> /+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1r
> R4bg
> s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY
> /
> pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxM
> ncpC
> PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3j
> ddky
> kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw
> 6
> bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5
> Q
> Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL
> 5w
> /OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjN
> c
> e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmx
> w
> PNSWuKf02X3tAJ7ZnDGY
> =tLZz
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Anyway to enable just all TLS protocols in APR connector?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jeffrey,
On 10/17/14 1:12 PM, Jeffrey Janner wrote:
> Documentation for the APR connector says setting SSLProtocol="all"
> (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1
> and TLSv1.2 as well.
Why do you think that's the case?
> However, it only seems to accept SSLProtocol strings that includes
> TLSv1, SSLv2, SSLv3 or their combinations.
Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are patched;
expect new builds soon.
> In other words, there doesn't seem to be a way to specify that you
> only want all 3 TLS versions and none of the SSL versions. Is
> there something I'm missing?
Nope.
> FYI: I checked Bugzilla on this, and there seems to be some work
> progressing on coding support, but it also interjected a
> regression to turn SSLv2 back on by default.
This can happen in certain situations, like saying that you want
TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that
case, you get SSLv23 which I believe in OpenSSL means "SSLv3 +
SSLv2Hello" which is only as dangerous as SSLv3 right now.
> The question is, if there is no current "magic string" that Tomcat
> will accept to enable full TLS support, is this something we will
> have to wait for 7.0.57 (and the equivalent 6 & 8 versions) to be
> able to address?
Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as well.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUQVEbAAoJEBzwKT+lPKRYihIP/jDsBkjhmXZHe1EYQFzn4oX1
hdujNBCt7MY3ZRnMJNZJ6UcjphK1AmdKdNAuGVWwLwOhHLwsmKsG9zwpousdYwar
/+HUeHpumJeeGxBPlbHW+ch9KVrKLkyfLR1wkmdh8PhdwCI7OcMqpYXipc1rR4bg
s5/qRnlrONvSC4zYuI0W64P6zkZtFgtn0SMnWnc/eQ+8jGjkPuwfs91pvwDlMaY/
pwE2cpVOK9VJU9h3hygL3apG1JYCeqmL2Cv+twuXXzGf2jvVUQQJCcFA6JxMncpC
PkEwM3OWn+BSuRaOS/mVXvNQE5XbLkgTaEQEKrjqv9wQD+Neally1g7Hrx3jddky
kTDSfJumJsSluBfl3XmWkVbYzSZ+02eQ4YI1NhqvNjyYBG+G2uToQFBkIti96kw6
bJzL02fscG2T2sT2ISIQB5nyslwq4oMYsxSIM3dG9Gw0XIOB6cNVjfpVXhSKNa5Q
Upf6GWA2E3bWZdgq4G5vvLeTJZWURXEutKwx4ocD6le/in1yCZqqjukqLFRlvL5w
/OshW+ShaNIOOc7ZszHhLEFnPr2M984noFhOjpf1Zx0qr0If09voxnt+aYcAWjNc
e23k6L9TyjA/goD0q9/TU5goVrZD6G/N3mifo94nhkG3J/IloH/JXxVTOwOLqmxw
PNSWuKf02X3tAJ7ZnDGY
=tLZz
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org