https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #25 from Marcel Ĺ ebek <sebe...@post.cz> ---
(In reply to Christopher Schultz from comment #23)
> I've taken another look at the (updated) patches. I'm confused by the
> changes to sslcontext.c. It looks like there is no provision for
> combinations of SSL/TLS protocols.
>
> For instance, if I request (TLSv1_1 | TLSv1_2) then I don't get a configured
> SSL engine because of this:
>
> +#ifndef SSL_OP_NO_TLSv1_2
> + } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> + /* requested but not supported */
> +#endif
>
> Or is this because (TLSv1_1 | TLSv1_2) is not a supported protocol
> definition? I could only find these TLS-related server-method functions in
> the OpenSSL API:
>
> const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
> const SSL_METHOD *TLSv1_1_server_method(void); /* TLSv1.1 */
> const SSL_METHOD *TLSv1_2_server_method(void); /* TLSv1.2 */
Well, I'm no longer interested in merging the patches upstream. In particular,
I'm not going to update them anymore. However, I feel that I should explain
current patches.
If I remember it correctly, I found out by experiments that the only method
supporting any combination of protocol versions is SSLv23_server_method. So
whenever more protocols are requested, this method should be used. Don't be
confused by its name, it actually supports all TLS versions.
The code
+#ifndef SSL_OP_NO_TLSv1_2
...
means that whenever SSL library agains which tcnative is built is old enough so
that it doesn't support newer TLS versions, and the user requested any of these
versions, an error is returned.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
