Am 26.05.2015 um 18:02 schrieb Rémy Maucherat:
2015-05-26 17:40 GMT+02:00 Rainer Jung <rainer.j...@kippdata.de>:
I'm a bit confused: is "protocol" in SSLHostConfig only for OpenSSL, or
also for JSSE? There's also sslProtocol, which seems to be for JSSE but the
docs looked like protocol were for both. Or is it work in progress?
No, "protocols" is used for both types.
"sslProtocol" is JSSE only since it would be the JCE provider name (as in
javax.net.ssl.SSLContext.getInstance(sslProtocol)). Since I think this is
mostly unusable, configuration doesn't look very useful (it should be
"TLS").
OK, thanks Rémy, I corrected a wrong addition I had put into the docs.
Related: JSSE by default uses "supported protocols minus everything that
includes SSL". APR uses all="TLSv1+TLSv1_1+TLSv1_2+SSVl2Hello". It is a
blacklist approach versus a whitelist approach (for the defaults).
This will drift apart once new protocols like TLS 1.3 get introduced. I
wonder whether we want to harmonize handling of default/all between
OpenSSL and JSSE.
If a new protocol shows up, for JSSE I assume you'd have to update the
JVM only. For APR you'd have to update the OpenSSL underneath tcnative
plus Tomcat. I know that new protocols show up only very rarely but I
wonder whether we want to use the same approach in both JSSE and OpenSSL
and whether it would be a blacklist approach like in JSSE or a whitelist
approach like in APR.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
