https://bz.apache.org/bugzilla/show_bug.cgi?id=61803
Bug ID: 61803
Summary: Documentation for sslEnabledProtocols describes the
incorrect way to set this option
Product: Tomcat 8
Version: 8.5.23
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ----
In webapps/docs/security-howto.xml the following documentation is provided for
the sslEnabledProtocols option.
304 <p>The <strong>sslEnabledProtocols</strong> attribute determines
which
305 versions of the SSL/TLS protocol are used. Since the POODLE attack
in
306 2014, all SSL protocols are considered unsafe and a secure setting
for
307 this attribute in a standalone Tomcat setup might be
308 <code>sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"</code></p>
This documentation also includes an example of setting this option.
When this is syntax is used you get the following warning text printed into
the log.
WARN - The protocol [TLSv1.1] was added to the list of protocols on the
SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
Inside org/apache/tomcat/util/net/SSLHostConfig.java there is a comment
describing
the expected format for this options and how its parsed.
441 // List of protocol names, separated by ",", "+" or "-".
442 // Semantics is adding ("+") or removing ("-") from left
443 // to right, starting with an empty protocol set.
444 // Tokens are individual protocol names or "all" for a
445 // default set of supported protocols.
446 // Separator "," is only kept for compatibility and has the
447 // same semantics as "+", except that it warns about a potentially
448 // missing "+" or "-".
I've never written a patch before but I'm keen to assist if I can get some
guidance.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
