https://bz.apache.org/bugzilla/show_bug.cgi?id=59120
Bug ID: 59120
Summary: The protocol "TLS" has different interpretation in
different JRE, better use "SSL"
Product: Tomcat 8
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: WebSocket
Assignee: [email protected]
Reporter: [email protected]
In the class [1], its createSSLEngine() method uses the protocol name "TLS" to
get an SSL context. However, different JREs have different interpretation for
this protocol name. For example, Oracle/OpenJDK interprets it as "Supports some
version of TLS; may support other versions" [2], while IBM JDK interprets it as
"TLS v1.0 protocol" [3]. As TLS v1.0 is quickly getting deprecated, a more
general protocol name should be used, like "SSL". Based on my test, when "SSL"
is used to get the SSL context, both the Oracle/OpenJDK and IBM JDK use TLSv1.2
to make the connection.
This issue also applies to other Tomcat versions.
[1]
http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
[2]
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
[3]
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/protocols.html?lang=en
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
