Andrew, On 11/19/14 2:47 AM, Andrew Carr wrote: > If you review the Tomcat 6 documentation > here: https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support > , you will see "sslEnabledProtocols." On the desc. for that setting > there are links for Java 6 and Java 7 protocol lists, and they both > include SSLv2. Not nitpicking here, just know that I saw it. I was > looking at the TC 6 -> Java 6 / 7 documentation because I was working > with Tomcat 6 and Java 7.
Fair enough. Two thoughts: 1. This is not a regression; it would have happened to any previous Tomcat 6.x with this JVM version 2. Nobody cares about SSLv2 and it's good that new JVMs will fail to configure a socket with that protocol enabled > I understand it is not in the Java 8 documentation. I attached a > screenshot. Nope. -chris > On Tue, Nov 18, 2014 at 3:55 PM, Christopher Schultz > <ch...@christopherschultz.net <mailto:ch...@christopherschultz.net>> wrote: > > Andrew, > > On 11/18/14 2:58 PM, Andrew Carr wrote: > > Chris, > > > > Thank you for the response. I will include the full stack trace next > time. > > > >> > >> > >> > >> Note that, like polio, SSLv2 has been wiped from the face of the > planet. > >> > >> This is not an error. This will not impact anyone of consequence. > >> > >> You may be looking for "SSLv2Hello". > >> > >> -chirs > >> > >> > >> > > You said that I might be looking for SSLv2Hello, but I am not. My point > > is not the use of SSLv2 because it would be wise, but the fact that the > > list of protocols on the Oracle page includes SSLv2. > > It most certainly *does not*: > > > https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider > > SSLv2 is dead, dead, dead. > > > This list is referred > > to by the tomcat configuration documentation, which would lead someone > to > > believe this is a valid setting. Maybe we just add a note about SSLv2? > > There are notes everywhere that SSLv2 is not trusted. > > > Maybe it's not important? > > Not really. Anyone wanting to use SSLv2 should experience abject > failure. > > -chris > > > > > -- > With Regards, > Andrew Carr > > e. andrewlanec...@gmail.com <mailto:andrewlanec...@gmail.com> > w. andrew.c...@openlogic.com <mailto:andrew.c...@openlogic.com> > h. 4235255668 > c. 4239489852 > a. 101 Francis Drive, Greeneville, TN, 37743 > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org >
signature.asc
Description: OpenPGP digital signature