You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/11/19 18:13:43 UTC

[Bug 57238] New: Updated SSL/TLS information for Tomcat 8/9

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

            Bug ID: 57238
           Summary: Updated SSL/TLS information for Tomcat 8/9
           Product: Tomcat 8
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
          Assignee: dev@tomcat.apache.org
          Reporter: glen@organicdesign.org

Created attachment 32218
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=32218&action=edit
A documentation diff made using git-svn diff.

ssl-howto.html: Added TLS to the title and updated to say SSL/TLS in a few
places and to acknowledge that SSL is obsolete since the POODLE attack this
year, and that Transport Layer Security (TLS) has replaced it.  Didn't go crazy
because all the Tomcat settings are still called sslWhatever.  Linked to the
security-howto.html document.

security-howto.html: Added that the ciphers attribute supports OpenSSL syntax,
plus an example attribute-value that works well today.  Also added a paragraph
on sslEnabledProtocols since this is the only way I know to make standalone
Tomcat POODLE-proof.

I may have made these changes to the Tomcat 9 docs by accident, but they apply
equally well to 8 or 9 AFAIK, so maybe someone could merge them appropriately?

Christopher Schultz suggested on the Tomcat Users list 2011-11-13 that I try
submitting a documentation patch here as an attachment.  This is my first
Tomcat Documentation Patch ever.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57238] Updated SSL/TLS information for Tomcat 8/9

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
Thank you for your contribution!

A few comments on the patch:

0. "Author" tags have been discouraged, while the older contributors names have
been left in for ... nostalgia?

1. The level of detail you have added to security-howto.xml is probably not
necessary. The note about supporting OpenSSL-ciphers-style configuration should
be in the configuration section instead. I'm not sure it's appropriate to put
instructions for getting high scores on Qualys's SSL/TLS testing is
appropriate.

2. I wonder about the change in naming for the "SSL" sections to "SSL/TLS". I
think it's good, but might break URLs containing anchors in archives, other
sites, etc. The page will still exist of course, only the anchor will no longer
function. Perhaps you could add an explicit anchor alias using <a
name="Introduction to SSL"><!-- --></a><a name="Introduction_to_SSL"><!--
--></a> to be kind to the anchors.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57238] Updated SSL/TLS information for Tomcat 8/9

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

Christopher Schultz <ch...@christopherschultz.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #32218|0                           |1
           is patch|                            |

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57238] Updated SSL/TLS information for Tomcat 8/9

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

Konstantin Kolinko <kn...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #7 from Konstantin Kolinko <kn...@gmail.com> ---
Applied to Tomcat trunk and 8 (r1644321, r1644333), will be in 8.0.16 onwards.
Thank you.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57238] Updated SSL/TLS information for Tomcat 8/9

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

Glen Peterson <gl...@organicdesign.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #32264|0                           |1
        is obsolete|                            |
  Attachment #32264|Fix for previous patch      |OOPS!  This was my
        description|                            |user-error in submitting my
                   |                            |fixed patch twice.

--- Comment #6 from Glen Peterson <gl...@organicdesign.org> ---
Comment on attachment 32264
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=32264
OOPS!  This was my user-error in submitting my fixed patch twice.

USER-ERROR SUBMISSION - please delete/ignore.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57238] Updated SSL/TLS information for Tomcat 8/9

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

--- Comment #3 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Christopher Schultz from comment #1)
> 0. "Author" tags have been discouraged, while the older contributors names
> have been left in for ... nostalgia?

One should not add author tags. People are credited in commit message and
changelog.

> 2. I wonder about the change in naming for the "SSL" sections to "SSL/TLS".
> I think it's good, but might break URLs containing anchors in archives,
> other sites, etc. The page will still exist of course, only the anchor will
> no longer function. Perhaps you could add an explicit anchor alias using <a
> name="Introduction to SSL"><!-- --></a><a name="Introduction_to_SSL"><!--
> --></a> to be kind to the anchors.

Hint: Anchor name can be set explicitly with "anchor" attribute on a <section>
or <subsection>

See r1643055 for an example.


3. Update document name in menu and on introduction page
project.xml (SSL -> SSL/TLS)
index.xml

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57238] Updated SSL/TLS information for Tomcat 8/9

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

Glen Peterson <gl...@organicdesign.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #32218|0                           |1
        is obsolete|                            |
                 CC|                            |glen@organicdesign.org

--- Comment #4 from Glen Peterson <gl...@organicdesign.org> ---
Created attachment 32263
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=32263&action=edit
Made changes as suggested by others.

Thank you Christopher, Mark and Konstantin for your suggestions.  I'm
responding to Christopher's numbers:

0. Author tags removed.

1a. Detailed configuration examples removed.

1b. The OpenSSL-ciphers-style configuration is specific to the ciphers
attribute.  The ssl-config doc says nothing about ciphers - that is only
referenced in the security-how-to.  I believe the two belong together, so I
left them here.

2. Made sure the old anchors are preserved.

2.5(Mark). Made links to 3rd parties no-follow

3(Konstantin). Updated the document names on the menu and introduction pages.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57238] Updated SSL/TLS information for Tomcat 8/9

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57238] Updated SSL/TLS information for Tomcat 8/9

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
The best SSL settings are a moving target. I don't think we should be putting
those in the docs. Maybe on the wiki which is more ephemeral.

I've no objection to adding a link to ssllabs - it is a useful resource - but
it needs to be no-follow.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57238] Updated SSL/TLS information for Tomcat 8/9

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

--- Comment #8 from Konstantin Kolinko <kn...@gmail.com> ---
Applied to Tomcat 7 as well (r1644339), will be in 7.0.58.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57238] Updated SSL/TLS information for Tomcat 8/9

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57238

--- Comment #5 from Glen Peterson <gl...@organicdesign.org> ---
Created attachment 32264
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=32264&action=edit
Fix for previous patch

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org