On 16/04/2019 13:28, Coty Sutherland wrote: > Hi, > > It appears that the IBM JDK (version 8) has dropped support for SSLv2Hello > so when you startup tomcat with the IBM JDK you get a warning saying that > the protocol is being skipped. OpenJDK seems to have dropped it in version > 12 or 13 (I haven't tested, just noticed a user list thread about it) so I > guess we should look at dropping support for SSLv2Hello whenever Tomcat's > minimum JDK is one of those versions? Is there a document somewhere I can > add this too so it doesn't get forgotten? > > > > Thanks, > Coty >
See https://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html basically java5/6 clients need SSLv2Hello. I remember removing SSLv2Hello broke tests in 2004 and we had to put SSLv2Hello back... -- Cheers Jean-Frederic --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
