Re: TLS+SSLv3 but no SSLv2

Fri, 22 Jan 2010 09:04:24 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jens,

On 1/22/2010 11:10 AM, Jens Neu wrote:
> on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the 
> SSLProtocol:
> 
> "Protocol which may be used for communicating with clients. The default is 
> "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1", and 
> "SSLv2+SSLv3"."
> 
> Does this really mean that I can not allow a "TLSv1+SSLv3" setting while 
> forbidding SSLv2? It seems so to me, since setting SSLProtocol to this 
> obvioulsy defaults to "ALL" :-(

I agree with Chuck: TLSv1 ~= SSLv3.

Although the "protocol" attribute has a limited set of values you can
choose, you can always set the ciphers you will allow using the
"ciphers" attribute. This will allow you to pick and choose the ciphers
regardless of the overall "protocol" that you choose.

The ciphers available depend upon your environment, but these are the
ones I can see in mine:

java version "1.6.0_12"
Java(TM) SE Runtime Environment (build 1.6.0_12-b04)
Java HotSpot(TM) Server VM (build 11.2-b01, mixed mode)

Default Cipher
*       SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*       SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
*       SSL_DHE_DSS_WITH_DES_CBC_SHA
*       SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*       SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
*       SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
        SSL_DH_anon_WITH_DES_CBC_SHA
        SSL_DH_anon_WITH_RC4_128_MD5
*       SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*       SSL_RSA_EXPORT_WITH_RC4_40_MD5
*       SSL_RSA_WITH_3DES_EDE_CBC_SHA
*       SSL_RSA_WITH_DES_CBC_SHA
        SSL_RSA_WITH_NULL_MD5
        SSL_RSA_WITH_NULL_SHA
*       SSL_RSA_WITH_RC4_128_MD5
*       SSL_RSA_WITH_RC4_128_SHA
*       TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DH_anon_WITH_AES_128_CBC_SHA
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
        TLS_KRB5_EXPORT_WITH_RC4_40_MD5
        TLS_KRB5_EXPORT_WITH_RC4_40_SHA
        TLS_KRB5_WITH_3DES_EDE_CBC_MD5
        TLS_KRB5_WITH_3DES_EDE_CBC_SHA
        TLS_KRB5_WITH_DES_CBC_MD5
        TLS_KRB5_WITH_DES_CBC_SHA
        TLS_KRB5_WITH_RC4_128_MD5
        TLS_KRB5_WITH_RC4_128_SHA
*       TLS_RSA_WITH_AES_128_CBC_SHA

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ2ncACgkQ9CaO5/Lv0PCMJACfTyFfj8zJS7tkGRewU0h2gkct
fxkAn320dKYKKYrJ/jPyXOtMXy0I9fGE
=NL0x
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to