Chris, Thanks for the response. I didn't understand the "nope" at the bottom. Was it in reference to the Java 8 documentation or the screenshot? If it was the screenshot, it is attached to my email, but maybe the mailing list removed it?
http://snag.gy/lcyLt.jpg -Andrew On Thu, Nov 20, 2014 at 3:54 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > Andrew, > > On 11/19/14 2:47 AM, Andrew Carr wrote: > > If you review the Tomcat 6 documentation > > here: > https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support > > , you will see "sslEnabledProtocols." On the desc. for that setting > > there are links for Java 6 and Java 7 protocol lists, and they both > > include SSLv2. Not nitpicking here, just know that I saw it. I was > > looking at the TC 6 -> Java 6 / 7 documentation because I was working > > with Tomcat 6 and Java 7. > > Fair enough. Two thoughts: > > 1. This is not a regression; it would have happened to any previous > Tomcat 6.x with this JVM version > 2. Nobody cares about SSLv2 and it's good that new JVMs will fail to > configure a socket with that protocol enabled > > > I understand it is not in the Java 8 documentation. I attached a > > screenshot. > > Nope. > > -chris > > > On Tue, Nov 18, 2014 at 3:55 PM, Christopher Schultz > > <ch...@christopherschultz.net <mailto:ch...@christopherschultz.net>> > wrote: > > > > Andrew, > > > > On 11/18/14 2:58 PM, Andrew Carr wrote: > > > Chris, > > > > > > Thank you for the response. I will include the full stack trace > next time. > > > > > >> > > >> > > >> > > >> Note that, like polio, SSLv2 has been wiped from the face of the > planet. > > >> > > >> This is not an error. This will not impact anyone of consequence. > > >> > > >> You may be looking for "SSLv2Hello". > > >> > > >> -chirs > > >> > > >> > > >> > > > You said that I might be looking for SSLv2Hello, but I am not. My > point > > > is not the use of SSLv2 because it would be wise, but the fact > that the > > > list of protocols on the Oracle page includes SSLv2. > > > > It most certainly *does not*: > > > > > https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider > > > > SSLv2 is dead, dead, dead. > > > > > This list is referred > > > to by the tomcat configuration documentation, which would lead > someone to > > > believe this is a valid setting. Maybe we just add a note about > SSLv2? > > > > There are notes everywhere that SSLv2 is not trusted. > > > > > Maybe it's not important? > > > > Not really. Anyone wanting to use SSLv2 should experience abject > > failure. > > > > -chris > > > > > > > > > > -- > > With Regards, > > Andrew Carr > > > > e. andrewlanec...@gmail.com <mailto:andrewlanec...@gmail.com> > > w. andrew.c...@openlogic.com <mailto:andrew.c...@openlogic.com> > > h. 4235255668 > > c. 4239489852 > > a. 101 Francis Drive, Greeneville, TN, 37743 > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743
