-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 6/21/17 5:04 AM, Mark Thomas wrote: > On 21/06/17 00:34, Marc Dorsa wrote: >> Hi Tomcat Users, >> >> I am having a difficult time trying to enable SSLv3 in Tomcat >> 8.5.15. (A 3rd-party component of our product requires SSLv3 and >> there's no getting around it!) Our Tomcat is running on a custom >> Linux distribution based on Centos 7, and we're running Java >> 1.8.0_131. Note that I've already (and correctly) enabled SSLv3 >> support in the JVM and verified that SSLv3 is correctly enabled >> when running our existing Tomcat 7.0.47. My guess is that I have >> an incorrect server.xml configuration (for Tomcat 8), but the >> Tomcat documentation >> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Suppor t) >> as I read it, seems to say that simply setting the "protocols" >> attribute of the SSLHostConfig element to include "SSLv3" should >> do the job. >> >> Thank you in advance for any help offered! > > 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. It's maybe worth noting that no shipped version of Sun/Oracle Java has ever implemented SSLv2, but I believe some 3rd-party libraries have/can support parts of that standard... mostly for probing to see if it's enabled. Nobody should have been building OpenSSL with SSLv2 in it for ... decades, now. But specific code to always disable SSLv2 is a Good Thing. > The docs need to be updated to reflect that. Also the migration > guide. > > I've done some svn archaeology and this change was introduced > during the refactoring that added support for SNI, ALPN and > multiple certificates. Originally, the removal of SSLv2 and SSLv3 > was only for the default protocols (as it currently is in 8.0.x and > earlier). During the refactoring, the filtering effectively > switched to applying to the supported protocols. > > A warning is logged during start-up that an unsupported protocol > has been requested. > > Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the > JVM used also supports it. > > Given the inherent insecurities in SSLv3, I don't like the message > re-enabling sends. On the other hand, it drives me mad when > software blocks something because it thinks it knows best rather > then letting me judge the risk and make the decision for myself. > > I'm therefore leaning towards allowing SSLv3 to be requested but > logging a clear warning if it is. +1 Re-enabling SSLv3 in with a current JVM requires a system property to be set, anyway, so there are two barriers to re-enabling SSLv3 on a current-setup. I think it's reasonable to allow people who are willing to manually re-enable SSLv3 to go ahead and have their insecure service. :/ - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKhWcACgkQHPApP6U8 pFjShw/+Pe5eQ0yqPaX73IswPAiqJX/zehFv8ZUBKjtxJCrzJeCjgJxOAIeP1nSS v/BGrYY0mHFA3lVad7jI7SGdSN2bWwr4V+4rFadjtJBQ0JqBJBTGm9JJDTQmpwWW /YeCvqDdwefxtM7eZM2AwrOBT1oWyFROB/dK9beHQ4MHtmlRovrOlLLpQZkNCdIX svNdTWEHjtXo98YmJUwvvAS5xgrn4pWsaSXpSCBRIpGl5RuS8JTqLoUCTaTYKkGf TXc9pF65vAjWRNyUuOV8H6JMyKZ2dCyzQl4SixPOwJ2urSiTFlWUcRjCHNU7PnXN BfCNiyiYmSUZR+qOxu0np6V56je/4HcbBpt7zCd0cjpkxRehw7fnJBNw6I0iL+ei 3PhrubFzJNs5pL7Iue0G29CxZJgLIQIg88dXaqgknGLw8eTCG6mwpwL9jp0ZF1xZ YyB8K42g5K+VYCb3Eg83eKplmp6F3F/7PQhwMlJn1jUcd+lVZozSIScBOmhyDu8+ pji1Lbc2y8QqqQRmn/V87naqSHdsE/l4+hFYiN6Z015QdiExzRntf33KUxVhoOqB H+ddK1HoaGF4n1iSXe0AaibwVUCHZGOz/Q6Cbv/+Wean9ZD13o1CXpdKR+2oFxsz oWQuU0wQKR1q3rCltoO314l0fmH8VcEilI0Wr7zyZ2DJ5HSlPEs= =kCAy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
