Re: [tomcat-native] branch main updated: Add renegotiation info

[Mark Thomas <ma...@apache.org>]

On 30/06/2022 17:47, Christopher Schultz wrote:
> On 6/30/22 03:35, markt@apache.org wrote:

<snip/>

>> +<section name="Unsafe legacy negotiation">
>> +  <p>
>> +  Support for unsafe legacy negotiation depends on OpenSSL. Only if 
>> Tomcat
>> +  Native is compiled with a build of OpenSSL that supports legacy 
>> renegotiation
>> +  will Tomcat Native support it.
>> +  </p>
> 
> Does this mean it's /possible/ (and configurable) to use Unsafe Legacy 
> Negotiation, or does it mean that it's always-on for openssl builds 
> where it's there, and always-off when it's not there?

It means that it is possible, configurable and disabled by default to 
use unsafe legacy negotiation unless OpenSSL has been compiled with that 
functionality explicitly removed. In which case it is completely disabled.

My memory is that I found a page that indicated it was possible to 
compile OpenSSL with that functionality removed. When I went to re-check 
my facts before writing this email, I couldn't find anything to confirm 
that.

I'll re-write that page to make clear that the behaviour is determined 
by OpenSSL configuration and that with 3.0.x, support is disabled by 
default.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org