Re: [VOTE] Release Apache Tomcat Native 1.1.32

Tue, 21 Oct 2014 08:07:11 -0700 

All,

On 10/21/14 5:05 AM, Mark Thomas wrote:
> Version 1.1.32 includes the following changes:
> - Add support for TLS v1.1 and TLS v1.2
> - Windows binaries built with APR 1.5.1 and OpenSSL 1.0.1j
> 
> The proposed release artefacts can be found at [1],
> and the build was done using tag [2].
> 
> Since this release is primarily to address security issues, I may end
> the vote earlier than 72 hours to speed up the process of getting Tomcat
> releases out that address CVE-2014-3566.
> 
> The Apache Tomcat Native 1.1.31 is
>  [X] Stable, go ahead and release
>  [ ] Broken because of ...

Tested combinations of SSLv3, TLSv1, TLSv1.1, TLSv1.2 with Tomcat
8-trunk and all configured and responded as expected.

For instance, when using SSLProtocol="TLSv1+TLSv1.2", I can connect with
these protocol and cipher combinations from Java 7:

Supported Protocol Cipher Suite
 Accepted    TLSv1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 Accepted    TLSv1 TLS_RSA_WITH_AES_128_CBC_SHA
 Accepted    TLSv1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 Accepted    TLSv1 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
 Accepted    TLSv1 SSL_RSA_WITH_3DES_EDE_CBC_SHA
 Accepted    TLSv1 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 Accepted  TLSv1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.1 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
 Accepted  TLSv1.1 SSL_RSA_WITH_3DES_EDE_CBC_SHA
 Accepted  TLSv1.1 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 Accepted  TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 Accepted  TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA256
 Accepted  TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 Accepted  TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
 Accepted  TLSv1.2 SSL_RSA_WITH_3DES_EDE_CBC_SHA
 Accepted  TLSv1.2 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

No other protocol (SSLv2, SSLv3, TLSv1.1) were accepted and no other
cipher suites were accepted for either TLSv1 or TLSv1.2.

(I'm surprised there's not more overlap in the number of cipher suites
that Java 7 and OpenSSL support given those two protocols.)

Lightly tested AjpAprProtocol and HttpAprProtocol for regressions... all
seems well.

-chris

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to