If you review the Tomcat 6 documentation here: https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support , you will see "sslEnabledProtocols." On the desc. for that setting there are links for Java 6 and Java 7 protocol lists, and they both include SSLv2. Not nitpicking here, just know that I saw it. I was looking at the TC 6 -> Java 6 / 7 documentation because I was working with Tomcat 6 and Java 7.
I understand it is not in the Java 8 documentation. I attached a screenshot. On Tue, Nov 18, 2014 at 3:55 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > Andrew, > > On 11/18/14 2:58 PM, Andrew Carr wrote: > > Chris, > > > > Thank you for the response. I will include the full stack trace next > time. > > > >> > >> > >> > >> Note that, like polio, SSLv2 has been wiped from the face of the planet. > >> > >> This is not an error. This will not impact anyone of consequence. > >> > >> You may be looking for "SSLv2Hello". > >> > >> -chirs > >> > >> > >> > > You said that I might be looking for SSLv2Hello, but I am not. My point > > is not the use of SSLv2 because it would be wise, but the fact that the > > list of protocols on the Oracle page includes SSLv2. > > It most certainly *does not*: > > > https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider > > SSLv2 is dead, dead, dead. > > > This list is referred > > to by the tomcat configuration documentation, which would lead someone to > > believe this is a valid setting. Maybe we just add a note about SSLv2? > > There are notes everywhere that SSLv2 is not trusted. > > > Maybe it's not important? > > Not really. Anyone wanting to use SSLv2 should experience abject failure. > > -chris > > -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
