Thank you so much for the answer! Regarding the classification, please see the link below: http://www.apache.org/licenses/exports/
scroll down to the product Apache Tomcat. It says it's 5D002. I also reached to Apache Legal to verify but haven't heard anything back. -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, January 20, 2010 11:10 AM To: Tomcat Users List Subject: Re: Tomcat encryption algorithms -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Justine, On 1/20/2010 1:52 PM, Shan, Justine wrote: > As far as I know, the only encryption implemented by Tomcat itself > is SSL. SSL is a strategy of securely transmitting data, which uses encryption. Technically speaking, Tomcat does not /implement/ SSL, but rather uses the JVM's SSL libraries to provide HTTP over SSL. > But I need to know what exactly algorithms have been implemented and > distributed with the binary from Apache Tomcat 5.X and 6. Tomcat does not ship with any cryptographic algorithms. > To my understanding, Tomcat relies on the JVM or JCE installed on > the user's machine to implement SSL, which implies Tomcat doesn't > ship any cryptographic algorithms but only implements SSL protocol. Correct. > On the other hand, from the Legal page Tomcat is classified as 5D002, > strong cryptography. Would you care to provide a reference? I can find none of the following strings on the "Legal" page for Tomcat (http://tomcat.apache.org/legal.html): "crypt", "5D002", "classif", or anything like that. > This implies Tomcat does contain (and thus ships with) encryption > implementation. And I need to know what exactly algorithms are > implemented. Again, none are implemented: everything is implemented by the JRE/JVM or a 3rd-party library, if you choose to install and configure one (such as Bouncy Castle... I'm sure there are others). If you just want to know which algorithms are available to your JDK, you can write a bit of code to dump-out that information, but it depends entirely on your environment. Tomcat also allows you to use OpenSSL as an SSL provider (using the APR native library) which may provide a different set of encryption algorithms to Tomcat. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktXVRAACgkQ9CaO5/Lv0PBorwCgprlSVdu1ly0DWdpvA8PS2nZV 61MAoII8HcPJ2nTTCSTflA3Ic3q2PSRb =Xnhn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
