https://issues.apache.org/bugzilla/show_bug.cgi?id=54406
Bug ID: 54406
Summary: NIO and BIO connectors handle unsupported SSL ciphers
and sslEnabledProtocols differently
Product: Tomcat 7
Version: trunk
Hardware: PC
OS: Mac OS X 10.4
Status: NEW
Severity: major
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: t...@apache.org
Classification: Unclassified
The NIO and BIO connectors share (most of) a JSSE based SSLImplementation, but
differ in their handling of the ciphers and sslEnabledProtocols attributes.
The NIO connector sets the configured values for both attributes directly on
the SSLEngine, which will fail immediately if any of them are unsupported. This
makes creating a portable/superset collection of ciphers impossible - i.e. IBM
JDKs do not support many of the cipher suite names used by JSSE and vice versa
(usually TLS_ vs SSL_ prefixes differ) and the supported options differ between
Java 6/7 etc.
The BIO connector attempts to filter the specified values down to those
supported by the SSL implementation, but has issues as well: if none of the
specified ciphers/protocols are supported it will silently use the defaults of
the SSL implementation, which can lead to unexpectedly (and unwittingly)
insecure configurations.
I propose to:
- modify the NIO connector to use the same logic as the BIO connector to
filter requested ciphers/protocols to supported values (by placing these
operations on the SSLUtil interface).
- modify the ciphers/protocols filtering logic to treat an explicit list of
unsupported options as setting no supported ciphers/protocols and warn when
this is done (it will also fail visibly with errors if SSL connections are
attempted).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
