You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/04/13 20:12:30 UTC
DO NOT REPLY [Bug 51056] New: Disable / drop support for SSLv2
https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
Summary: Disable / drop support for SSLv2
Product: Tomcat Native
Version: 1.1.20
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Library
AssignedTo: dev@tomcat.apache.org
ReportedBy: drazzib@drazzib.com
Hi,
SSL 2.0 support got removed from many Debian GNU/Linux (and many others linux
distro) and SSL 2.0 is disabled by default in Internet Explorer 7, Mozilla
Firefox 3, Opera and Safari.
It's use has been deprecated, because of weaknesses in the security of the
protocol. For exemple, http://www.openssl.org/news/secadv_20051011.txt
I propose to simply drop any support for SSLv2 in Tomcat Native lib with the
attached patch.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
--- Comment #5 from Konstantin Kolinko <kn...@gmail.com> 2011-07-19 23:43:25 UTC ---
Created attachment 27300
--> https://issues.apache.org/bugzilla/attachment.cgi?id=27300
Drop SSLv2 support in native examples
To apply the patch one has to remove those "a/jni" and "b/jni" prefixes that do
not match the svn source layout. There were changes in sslcontext.c recently,
so the patch does not apply cleanly anymore.
Anyway,
1) tc-native is still used on old systems, like Tomcat 5.5, and thus I don't
feel comfortable removing this feature.
Maybe consider this for trunk of tc-native or postpone until native 1.2 is more
near?
Maybe make this code conditional using some #define, e.g. OpenSSL version?
2) +1 to disable it by default in java code in Tomcat
The patch also updates tc-native examples. I am attaching a part of Damien
Raude-Morvan's patch that modifies the examples, against 1.1.x branch of
tomcat/native.
Regarding the examples:
* examples/org/apache/tomcat/jni/SSLServer.java:
OK for the change
* examples/org/apache/tomcat/jni/SSL.properties:
-1:
First, if I understand the old value correctly, it enables "ALL" ciphers, then
shifts SSLv2 to the end of the list by priority. Removing SSLv2 moves it to the
front of the list and that is wrong. To disable it, one can write !SSLv2
Second, the old value matches whatever default is in Apache HTTPD 2.2, see
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
Apache HTTPD 2.3 docs say that default depends on OpenSSL version, without
providing further specifics. I do not see the value in the code - I think it
comes from OpenSSL.
OpenSSL docs say that the default value is DEFAULT and it is determined at
compile time.
http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
Apparently for OpenSSL 1.0.0 the correct value to be used as default will be
literally "DEFAULT".
The above mentioned OpenSSL docs say that for 1.0.0 the default value is
normally "ALL:!aNULL:!eNULL". This is not true for the copy of OpenSSL 1.0.0d
that I have. The command to list ciphers, "openssl ciphers -v <cipherslist>"
does not list SSLv2 ciphers for DEFAULT, but does mention one SSLv2 cipher for
"ALL:!aNULL:!eNULL".
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
--- Comment #4 from drazzib <dr...@drazzib.com> 2011-07-19 20:18:26 UTC ---
Hi,
@jfclere: Could you explain a little bit more your issue with format of current
patch attached to this Bugzilla ? AFAIK, it's in udiff format and I'm able to
apply it with a "patch -p1 < drop_sslv2_support.diff".
@Rainer Jung: SSLv2 is disabled in IE7, Opera and Firefox since 2006. So one
day or another you'll have to drop support for it :)
Best regards,
--
Damien Raude-Morvan
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
--- Comment #7 from drazzib <dr...@drazzib.com> 2011-08-12 18:00:50 UTC ---
I've updated my patch :
- for 1.1.22 release
- to use OPENSSL_NO_SSL2 define instead of dropping code
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
--- Comment #3 from Rainer Jung <ra...@kippdata.de> 2011-07-19 11:09:30 UTC ---
I'm not so sure, that the library should drop support, but I would be +1 to
support only SSLv3 and TLSv1 by default in Tomcat if not explicitely configured
for something else (e.g. with +SSLv2).
The change will be an incompatible though, but probably OK because of security
concerns.
Regards,
Rainer
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
jfclere <jf...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution| |FIXED
--- Comment #6 from jfclere <jf...@gmail.com> 2011-07-21 09:58:31 UTC ---
Fix by 1149093 (native) and 1149092 (tc_trunk).
The fix doesn't remove SSLv2 it just removes it from the defaults.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
--- Comment #1 from drazzib <dr...@drazzib.com> 2011-04-13 14:13:28 EDT ---
Created an attachment (id=26883)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26883)
Drop SSLv2 support.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
drazzib <dr...@drazzib.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #26883|0 |1
is obsolete| |
--- Comment #8 from drazzib <dr...@drazzib.com> 2011-08-12 18:01:40 UTC ---
Created attachment 27383
--> https://issues.apache.org/bugzilla/attachment.cgi?id=27383
Drop SSLv2 support
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51056] Disable / drop support for SSLv2
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
jfclere <jf...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #2 from jfclere <jf...@gmail.com> 2011-07-19 10:12:41 UTC ---
Could you attached a diff -u.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org