On 26/05/2015 18:59, Rainer Jung wrote: > Am 26.05.2015 um 18:02 schrieb Rémy Maucherat: >> 2015-05-26 17:40 GMT+02:00 Rainer Jung <rainer.j...@kippdata.de>: >> >>> I'm a bit confused: is "protocol" in SSLHostConfig only for OpenSSL, or >>> also for JSSE? There's also sslProtocol, which seems to be for JSSE >>> but the >>> docs looked like protocol were for both. Or is it work in progress? >>> >> >> No, "protocols" is used for both types. >> >> "sslProtocol" is JSSE only since it would be the JCE provider name (as in >> javax.net.ssl.SSLContext.getInstance(sslProtocol)). Since I think this is >> mostly unusable, configuration doesn't look very useful (it should be >> "TLS"). > > OK, thanks Rémy, I corrected a wrong addition I had put into the docs. > > Related: JSSE by default uses "supported protocols minus everything that > includes SSL". APR uses all="TLSv1+TLSv1_1+TLSv1_2+SSVl2Hello". It is a > blacklist approach versus a whitelist approach (for the defaults). > > This will drift apart once new protocols like TLS 1.3 get introduced. I > wonder whether we want to harmonize handling of default/all between > OpenSSL and JSSE. > > If a new protocol shows up, for JSSE I assume you'd have to update the > JVM only. For APR you'd have to update the OpenSSL underneath tcnative > plus Tomcat. I know that new protocols show up only very rarely but I > wonder whether we want to use the same approach in both JSSE and OpenSSL > and whether it would be a blacklist approach like in JSSE or a whitelist > approach like in APR.
I think a default of everything we know is supported less those we know are not secure. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
