You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Coty Sutherland <cs...@apache.org> on 2019/04/16 11:28:29 UTC
SSLv2Hello "Protocol" Support
Hi,
It appears that the IBM JDK (version 8) has dropped support for SSLv2Hello
so when you startup tomcat with the IBM JDK you get a warning saying that
the protocol is being skipped. OpenJDK seems to have dropped it in version
12 or 13 (I haven't tested, just noticed a user list thread about it) so I
guess we should look at dropping support for SSLv2Hello whenever Tomcat's
minimum JDK is one of those versions? Is there a document somewhere I can
add this too so it doesn't get forgotten?
Thanks,
Coty
Re: SSLv2Hello "Protocol" Support
Posted by Coty Sutherland <cs...@apache.org>.
If we haven't tried to remove it in 5 years it might be worth another look
:)
On Wed, Apr 17, 2019 at 3:49 AM jean-frederic clere <jf...@gmail.com>
wrote:
> On 16/04/2019 13:28, Coty Sutherland wrote:
> > Hi,
> >
> > It appears that the IBM JDK (version 8) has dropped support for
> SSLv2Hello
> > so when you startup tomcat with the IBM JDK you get a warning saying that
> > the protocol is being skipped. OpenJDK seems to have dropped it in
> version
> > 12 or 13 (I haven't tested, just noticed a user list thread about it) so
> I
> > guess we should look at dropping support for SSLv2Hello whenever Tomcat's
> > minimum JDK is one of those versions? Is there a document somewhere I can
> > add this too so it doesn't get forgotten?
> >
> >
> >
> > Thanks,
> > Coty
> >
>
> See
>
> https://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
> basically java5/6 clients need SSLv2Hello.
>
> I remember removing SSLv2Hello broke tests in 2004 and we had to put
> SSLv2Hello back...
>
> --
> Cheers
>
> Jean-Frederic
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: SSLv2Hello "Protocol" Support
Posted by jean-frederic clere <jf...@gmail.com>.
On 16/04/2019 13:28, Coty Sutherland wrote:
> Hi,
>
> It appears that the IBM JDK (version 8) has dropped support for SSLv2Hello
> so when you startup tomcat with the IBM JDK you get a warning saying that
> the protocol is being skipped. OpenJDK seems to have dropped it in version
> 12 or 13 (I haven't tested, just noticed a user list thread about it) so I
> guess we should look at dropping support for SSLv2Hello whenever Tomcat's
> minimum JDK is one of those versions? Is there a document somewhere I can
> add this too so it doesn't get forgotten?
>
>
>
> Thanks,
> Coty
>
See
https://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
basically java5/6 clients need SSLv2Hello.
I remember removing SSLv2Hello broke tests in 2004 and we had to put
SSLv2Hello back...
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSLv2Hello "Protocol" Support
Posted by Mark Thomas <ma...@apache.org>.
On 17/04/2019 19:37, Coty Sutherland wrote:
> On Wed, Apr 17, 2019 at 2:18 PM Christopher Schultz wrote:
> On 4/16/19 07:28, Coty Sutherland wrote:
>>>> Hi,
>>>>
>>>> It appears that the IBM JDK (version 8) has dropped support for
>>>> SSLv2Hello so when you startup tomcat with the IBM JDK you get a
>>>> warning saying that the protocol is being skipped. OpenJDK seems to
>>>> have dropped it in version 12 or 13 (I haven't tested, just noticed
>>>> a user list thread about it) so I guess we should look at dropping
>>>> support for SSLv2Hello whenever Tomcat's minimum JDK is one of
>>>> those versions? Is there a document somewhere I can add this too so
>>>> it doesn't get forgotten?
>
> How many / how often are these error messages generated? Just when the
> server starts? Or with every connection?
>
>
>> Yeah, just the Connector startup warning.
It first glance I thought this would be a right pain to fix. Looking
more closely, I think we can use explicitlyRequestedProtocols and filter
out the warning unless it was explicitly requested. That should be a
fairly simple fix.
Hmm. I think there might be some scope for some simplification here.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSLv2Hello "Protocol" Support
Posted by Coty Sutherland <cs...@apache.org>.
On Wed, Apr 17, 2019 at 2:18 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Coty,
>
> On 4/16/19 07:28, Coty Sutherland wrote:
> > Hi,
> >
> > It appears that the IBM JDK (version 8) has dropped support for
> > SSLv2Hello so when you startup tomcat with the IBM JDK you get a
> > warning saying that the protocol is being skipped. OpenJDK seems to
> > have dropped it in version 12 or 13 (I haven't tested, just noticed
> > a user list thread about it) so I guess we should look at dropping
> > support for SSLv2Hello whenever Tomcat's minimum JDK is one of
> > those versions? Is there a document somewhere I can add this too so
> > it doesn't get forgotten?
>
> How many / how often are these error messages generated? Just when the
> server starts? Or with every connection?
>
Yeah, just the Connector startup warning.
>
> If you get a warning on startup, I'd say that's not a big deal. It
> would be a much bigger deal to kill a user's server for clients who
> must use SSLv2Hello handshakes (which are hopefully dwindling to zero
> ... about 5 years ago).
>
> I think handling questions about how to get rid of a warning would be
> better than handling questions about how to get servers back up and
> running.
>
:) True. I just wanted to point out that it was still lingering and mark it
for removal at some point since the JDKs are dropping support too.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly3bgQACgkQHPApP6U8
> pFhXMA/+IKU/gdhks6BJgGpM5CuPIqEFHOYqzomDnmGEcg9q51pLVGiy5Md58fLV
> 8vIyZpDftg04tt65S1DKWNY7mNg3LzegAEW0JyElXGSwMd9SQx38yFNlddqAlzCe
> Swjt1bFu7frCvaDE40BCsz7Enw0CdRTEm6daSyZI93CeLm0jKDn7cigGhPQr36jV
> 5oXmtvnC8hpes3ELsfh//WC4u2QCqZ76uCeVkbKXACDJI5nIjcoVofL/kotPWUcC
> /W2lNjxwJ5ACWM3yMUoAy12MpXv19nHZT5k+cbxgZJyKe47LBD2c6B5HbkYzHGac
> wNbuv/vjACDa48DhTSR6BtYlJexWooPmwvZoLJKilIx+UlQveg+cIg1LLkr/g1iZ
> 3ftBCxZK9g27s5CnD+VlB2CG4lZ+nSFFU3OUfOEVwgbkVhch6rJqWRTCgBpKC0jH
> LwB6bKz66vPe3uRqJ7JLBTYJn9UenvxUeASkRQmISa43jn/S60STTfDGeMTmopsU
> BsyLP3HZY3ktzdKOWhncMAzXq5vWVUMm6tw0/GAvOGhNTnGAcb7iwR8/RUfXTpLR
> D8yb01h4/bDgDLXdc0ZDV1uNJ6XKVoDdP52doHaiC/bEv9ElZkDiYB7MepiplVO0
> Ti52xTsebV6MPPW8ZP2HBN6bBT3ndm8uXItTCuiGw72apmdQdPQ=
> =PtbL
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: SSLv2Hello "Protocol" Support
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Coty,
On 4/16/19 07:28, Coty Sutherland wrote:
> Hi,
>
> It appears that the IBM JDK (version 8) has dropped support for
> SSLv2Hello so when you startup tomcat with the IBM JDK you get a
> warning saying that the protocol is being skipped. OpenJDK seems to
> have dropped it in version 12 or 13 (I haven't tested, just noticed
> a user list thread about it) so I guess we should look at dropping
> support for SSLv2Hello whenever Tomcat's minimum JDK is one of
> those versions? Is there a document somewhere I can add this too so
> it doesn't get forgotten?
How many / how often are these error messages generated? Just when the
server starts? Or with every connection?
If you get a warning on startup, I'd say that's not a big deal. It
would be a much bigger deal to kill a user's server for clients who
must use SSLv2Hello handshakes (which are hopefully dwindling to zero
... about 5 years ago).
I think handling questions about how to get rid of a warning would be
better than handling questions about how to get servers back up and
running.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly3bgQACgkQHPApP6U8
pFhXMA/+IKU/gdhks6BJgGpM5CuPIqEFHOYqzomDnmGEcg9q51pLVGiy5Md58fLV
8vIyZpDftg04tt65S1DKWNY7mNg3LzegAEW0JyElXGSwMd9SQx38yFNlddqAlzCe
Swjt1bFu7frCvaDE40BCsz7Enw0CdRTEm6daSyZI93CeLm0jKDn7cigGhPQr36jV
5oXmtvnC8hpes3ELsfh//WC4u2QCqZ76uCeVkbKXACDJI5nIjcoVofL/kotPWUcC
/W2lNjxwJ5ACWM3yMUoAy12MpXv19nHZT5k+cbxgZJyKe47LBD2c6B5HbkYzHGac
wNbuv/vjACDa48DhTSR6BtYlJexWooPmwvZoLJKilIx+UlQveg+cIg1LLkr/g1iZ
3ftBCxZK9g27s5CnD+VlB2CG4lZ+nSFFU3OUfOEVwgbkVhch6rJqWRTCgBpKC0jH
LwB6bKz66vPe3uRqJ7JLBTYJn9UenvxUeASkRQmISa43jn/S60STTfDGeMTmopsU
BsyLP3HZY3ktzdKOWhncMAzXq5vWVUMm6tw0/GAvOGhNTnGAcb7iwR8/RUfXTpLR
D8yb01h4/bDgDLXdc0ZDV1uNJ6XKVoDdP52doHaiC/bEv9ElZkDiYB7MepiplVO0
Ti52xTsebV6MPPW8ZP2HBN6bBT3ndm8uXItTCuiGw72apmdQdPQ=
=PtbL
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org