You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/11/18 21:30:55 UTC
[Bug 57234] New: Use case-insensitive substring search when
filtering SSLv2/v3 protocols in connectors
https://issues.apache.org/bugzilla/show_bug.cgi?id=57234
Bug ID: 57234
Summary: Use case-insensitive substring search when filtering
SSLv2/v3 protocols in connectors
Product: Tomcat 8
Version: 8.0.15
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: knst.kolinko@gmail.com
Regarding "protocol.contains("SSL")" check in
org.apache.tomcat.util.net.jsse.JSSESocketFactory from r1632512 etc.
If one reads [1], it has the following phrase at the top of the document:
"Note: Standard names are not case-sensitive."
I doubt that anybody is really bitten by this, as I doubt that any JVM vendor
misspells "SSL"
On [1] there is a link named "Note: The Sun Provider Documentation contains
specific provider and algorithm information.". If you follow it to [2], it
lists the actual names used by Oracle JRE. Those are spelled with uppercase
"SSL".
Nevertheless, technically it would be better to do
protocol.toUpperCase(Locale.ENGLISH).contains("SSL")
[1]
https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
[2]
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57234] Use case-insensitive substring search when filtering
SSLv2/v3 protocols in connectors
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57234
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Connectors |Connectors
Version|8.0.15 |unspecified
Product|Tomcat 8 |Tomcat 6
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Fixed in trunk, 8.0.x (for 8.0.16 onwards) and 7.0.x (for 7.0.58 onwards).
Comment added to existing proposal for Tomcat 6 to fix this as well.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57234] Use case-insensitive substring search when filtering
SSLv2/v3 protocols in connectors
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57234
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
It's also feasible that a user would want to use SSLv2Hello, which is not
really a protocol. One could argue that nobody should even be using SSLv2Hello
since all of SSL should be dead, now -- any client that can use TLS should be
able to use a proper TLS hello.
(I didn't check to see if SSLv2Hello is returned by
socket.getEnabledProtocols() but I wanted to mention it in case someone was
going to patch this quickly.)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57234] Use case-insensitive substring search when filtering
SSLv2/v3 protocols in connectors
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57234
--- Comment #4 from Konstantin Kolinko <kn...@gmail.com> ---
Created attachment 32226
--> https://issues.apache.org/bugzilla/attachment.cgi?id=32226&action=edit
2014-11-25_tc6_57234_v1.patch
Patch for Tomcat 6.
Backport of r1641377 + Includes patch by Christopher Schultz to de-duplicate
code and fix name of the filtering method + A pair of compiler warning fixes
(duplicate ';' and generics for a local variable).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57234] Use case-insensitive substring search when filtering
SSLv2/v3 protocols in connectors
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57234
--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> ---
> I didn't check to see if SSLv2Hello is returned by socket.getEnabledProtocols()
It is possible to turn on logging with
org.apache.tomcat.util.net.jsse.JSSESocketFactory.level = FINE
In my experiments SSLv2Hello is listed as present and excluded by protocol name
filtering (running with Oracle JDK 8u25).
According to [2] Java 7 clients do not have SSLv2Hello enabled by default. Is
there anything (non having EOL status) actively using it?
Do "generic purpose" web servers (configured by default) need it? It can be
enabled with explicit configuration.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57234] Use case-insensitive substring search when filtering
SSLv2/v3 protocols in connectors
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57234
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Konstantin Kolinko <kn...@gmail.com> ---
Fixed in Tomcat 6 by r1643590 and will be in 6.0.44 onwards.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org