You are viewing a plain text version of this content. The canonical link for it is here.

Posted to legal-discuss@apache.org by "Shan, Justine" <ju...@sap.com> on 2010/01/20 19:54:42 UTC

Export Compliance: Tomcat encryption 5D002

Hi,

As far as I know, the only encryption implemented by Tomcat itself is SSL. But I need to know what exactly algorithms have been implemented and distributed with the binary from Apache Tomcat 5.X and 6.

To my understanding, Tomcat relies on the JVM or JCE installed on the user's machine to implement SSL, which implies Tomcat doesn't ship any cryptographic algorithms but only implements SSL protocol. On the other hand, from the Legal page Tomcat is classified as 5D002, strong cryptography. This implies Tomcat does contain (and thus ships with) encryption implementation. And I need to know what exactly algorithms are implemented in order to conduct the review of one of our own products that uses Tomcat.

Please reply to me at justine.shan@sap.com<ma...@sap.com>

Thank you very much!

Justine

Re: Export Compliance: Tomcat encryption 5D002

Posted by Rainer Jung <rj...@apache.org>.

On 20.01.2010 19:54, Shan, Justine wrote:
> Hi,
> As far as I know, the only encryption implemented by Tomcat itself is
> SSL. But I need to know what exactly algorithms have been implemented
> and distributed with the binary from Apache Tomcat 5.X and 6.
> To my understanding, Tomcat relies on the JVM or JCE installed on the
> user’s machine to implement SSL, which implies Tomcat doesn’t ship any
> cryptographic algorithms but only implements SSL protocol. On the other
> hand, from the Legal page Tomcat is classified as 5D002, strong
> cryptography. This implies Tomcat does contain (and thus ships with)
> encryption implementation. And I need to know what exactly algorithms
> are implemented in order to conduct the review of one of our own
> products that uses Tomcat.
> Please reply to me at _justine.shan@sap.com_ <ma...@sap.com>
> Thank you very much!
> Justine

Since this is a technical question, you should post it to the 
dev@tomcat.apache.org mailing list. See:

http://tomcat.apache.org/lists.html

I can give you an answer, which might suffice. If you need more 
information please proceed the discustion on that list.

Tomcat indeed doesn't implement encryption on its own. There is an 
optional componen named "Tomcat Native" or sometimes the "APR connector" 
which binds Tomcat to OpenSSL for encryption instead of Java SSL.

Some of our binary Tomcat download for Windows contain the tcnative dll 
with static linking to OpenSSL. So although neither Tomcat Java source 
code nor tcnative source code cointain encryption, the optional binary 
tcnative-1.dll contains OpenSSL encrpytion in compiled form.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org