You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/11/23 03:40:09 UTC
[Bug 61803] New: Documentation for sslEnabledProtocols describes the
incorrect way to set this option
https://bz.apache.org/bugzilla/show_bug.cgi?id=61803
Bug ID: 61803
Summary: Documentation for sslEnabledProtocols describes the
incorrect way to set this option
Product: Tomcat 8
Version: 8.5.23
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Assignee: dev@tomcat.apache.org
Reporter: simon.dawson@sas.com
Target Milestone: ----
In webapps/docs/security-howto.xml the following documentation is provided for
the sslEnabledProtocols option.
304 <p>The <strong>sslEnabledProtocols</strong> attribute determines
which
305 versions of the SSL/TLS protocol are used. Since the POODLE attack
in
306 2014, all SSL protocols are considered unsafe and a secure setting
for
307 this attribute in a standalone Tomcat setup might be
308 <code>sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"</code></p>
This documentation also includes an example of setting this option.
When this is syntax is used you get the following warning text printed into
the log.
WARN - The protocol [TLSv1.1] was added to the list of protocols on the
SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
Inside org/apache/tomcat/util/net/SSLHostConfig.java there is a comment
describing
the expected format for this options and how its parsed.
441 // List of protocol names, separated by ",", "+" or "-".
442 // Semantics is adding ("+") or removing ("-") from left
443 // to right, starting with an empty protocol set.
444 // Tokens are individual protocol names or "all" for a
445 // default set of supported protocols.
446 // Separator "," is only kept for compatibility and has the
447 // same semantics as "+", except that it warns about a potentially
448 // missing "+" or "-".
I've never written a patch before but I'm keen to assist if I can get some
guidance.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61803] Documentation for sslEnabledProtocols describes the
incorrect way to set this option
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61803
--- Comment #1 from Simon Dawson <si...@sas.com> ---
Here is the original patch that changed this for version 8.
https://svn.apache.org/viewvc?view=revision&revision=1681779
It did include some documentation updates but not to sslEnabledProtocols.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61803] Documentation for sslEnabledProtocols describes the
incorrect way to set this option
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61803
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #2 from Remy Maucherat <re...@apache.org> ---
After a review, this section of the security howto doc is outdated and it can
be removed.
Fixed in:
- trunk for 9.0.2 onwards
- 8.5.x for 8.5.24 onwards
- 8.0.x for 8.0.48 onwards
- 7.0.x for 7.0.83 onwards
(thanks to Mark for the cut and paste :) )
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org