You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/04/16 06:20:27 UTC
DO NOT REPLY [Bug 51073] New: Misconfigured SSLProtocol with an
AprEndpoint silently falls back to ALL
https://issues.apache.org/bugzilla/show_bug.cgi?id=51073
Summary: Misconfigured SSLProtocol with an AprEndpoint silently
falls back to ALL
Product: Tomcat 7
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: Connectors
AssignedTo: dev@tomcat.apache.org
ReportedBy: colin@colinharrington.net
When configuring tomcat with an SSL Connector with an AprEndpoint (using the
Http11AprProtocol) if you misconfigure the SSLProtocol, the it silently falls
back to "all" which can be very dangerous.
For example this configuration may seem convincing:
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true"
port="443"
scheme="https"
secure="true"
...Other SSL configuration...
SSLProtocol="-ALL +SSLv3 +TLSv1"
.../>
The Documentation states valid values for the SSL protocol, but if the values
don't line up exactly it defaults to "ALL"
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support
SSLProtocol: 'Protocol which may be used for communicating with clients. The
default is "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1"
and "SSLv2+SSLv3".'
Misconfiguration of an SSLProtocol should never silently fall back to enabling
all protocols. At minimum, misconfiguration of this value should result in
logged error messages. Since SSLv2 is vulnerable to several attacks known to
have some serious security flaws even allowing the possibility of
man-in-the-middle attacks, I think a misconfiguration should cause the
connector to fail.
@See
http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
I think that "all" should be specifically allowed (along with "" or null), and
all other unexpected values should fail loudly.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51073] Misconfigured SSLProtocol with an
AprEndpoint silently falls back to ALL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51073
changyao <qi...@126.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Connector:Coyote |Servlet & JSP API
Version|5.5.33 |6.0.14
Product|Tomcat 5 |Tomcat 6
Target Milestone|--- |default
--- Comment #4 from changyao <qi...@126.com> 2011-11-09 02:12:12 UTC ---
(In reply to comment #2)
> Fixed in 6.0.x and will be included in 6.0.33 onwards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51073] Misconfigured SSLProtocol with an
AprEndpoint silently falls back to ALL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51073
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #3 from Mark Thomas <ma...@apache.org> 2011-08-18 17:05:48 UTC ---
This has been fixed in 5.5.x and will be included in 5.5.34 onwards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51073] Misconfigured SSLProtocol with an
AprEndpoint silently falls back to ALL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51073
changyao <qi...@126.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS/Version|All |Linux
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51073] Misconfigured SSLProtocol with an
AprEndpoint silently falls back to ALL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51073
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Connectors |Connector:Coyote
Version|unspecified |5.5.33
Product|Tomcat 7 |Tomcat 5
--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-04-17 09:02:13 EDT ---
Fixed in 7.0.x and will be included in 7.0.13 onwards.
Proposed for 5.5.x and 6.0.x.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51073] Misconfigured SSLProtocol with an
AprEndpoint silently falls back to ALL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51073
--- Comment #2 from Mark Thomas <ma...@apache.org> 2011-05-18 12:12:19 UTC ---
Fixed in 6.0.x and will be included in 6.0.33 onwards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51073] Misconfigured SSLProtocol with an
AprEndpoint silently falls back to ALL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51073
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Servlet & JSP API |Connector:Coyote
Version|6.0.14 |5.5.33
Product|Tomcat 6 |Tomcat 5
Target Milestone|default |---
OS/Version|Linux |All
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51073] Misconfigured SSLProtocol with an
AprEndpoint silently falls back to ALL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51073
--- Comment #5 from changyao <qi...@126.com> 2011-11-09 02:12:49 UTC ---
(In reply to comment #2)
> Fixed in 6.0.x and will be included in 6.0.33 onwards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org