[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #25 from Ralf Hauser --- see also bug 53481 for SSLHonorCipherOrder (alias for the honorCipherOrder) as per http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig somehow with the current debian stable (tomcat 8.0.14) https://www.ssllabs.com/ssltest/analyze.html?d=www.privasphere.com&hideResults=on still claims "Cipher Suites (sorted by strength as the server has no preference..." -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 Ognjen Blagojevic changed: What|Removed |Added Status|RESOLVED|CLOSED -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #24 from Ognjen Blagojevic --- 7.0.61 works as expected. Thank you. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 Violeta Georgieva changed: What|Removed |Added Resolution|--- |FIXED Status|REOPENED|RESOLVED --- Comment #23 from Violeta Georgieva --- Thanks for the patch. The fix will be available for 7.0.61 onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #22 from Ognjen Blagojevic --- Created attachment 32611 --> https://bz.apache.org/bugzilla/attachment.cgi?id=32611&action=edit Patch to add setters for SSLParameters -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 Ognjen Blagojevic changed: What|Removed |Added Resolution|FIXED |--- Status|RESOLVED|REOPENED --- Comment #21 from Ognjen Blagojevic --- Refactoring in r1662994 broke the support for 7.0.x. It introduced several issues: 1. Inverted if condition in AbstractEndpoint.testServerCipherSuitesOrderSupport (fixed in r1669346). 2. Steps in AbstractEndpoint.configureUseServerCipherSuitesOrder: (a) SSLParameters sslParameters = engine.getSSLParameters(); (b) sslParameters.setUseCipherSuitesOrder(boolean) (c) engine.setSSLParamters(sllParameters) were refactored omitting step (c). 3. Steps in JSSESocketFactory.configureUseServerCipherSuitesOrder: (a) SSLParameters sslParameters = socket.getSSLParameters(); (b) sslParameters.setUseCipherSuitesOrder(boolean) (c) socket.setSSLParamters(sllParameters) were refactored omitting step (c). I'm preparing the patch for issues 2. and 3. -Ognjen -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 Christopher Schultz changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #20 from Christopher Schultz --- Fixed in Tomcat 7.0.x in r1662633. Will be in Tomcat 7.0.60. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #19 from Christopher Schultz --- Support for BIO connector added in Tomcat 8.0.x in r1662632. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #18 from Christopher Schultz --- Fixed in Tomcat 8.0.x in r1662627. Will be in Tomcat 8.0.21. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #17 from Christopher Schultz --- Fixed in trunk in r1662614. I'll start preparing a patch for Tomcat 8. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 Ralf Hauser changed: What|Removed |Added CC||hau...@acm.org -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #16 from Ognjen Blagojevic --- Created attachment 32407 --> https://issues.apache.org/bugzilla/attachment.cgi?id=32407&action=edit Patch to add useServerCipherSuitesOrder to NIO and NIO2 connectors -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 Ognjen Blagojevic changed: What|Removed |Added Component|Connectors |Connectors Version|trunk |unspecified Product|Tomcat 8|Tomcat 9 Target Milestone||- --- Comment #15 from Ognjen Blagojevic --- Chris, (In reply to Christopher Schultz from comment #14) > Ognjen, if you are still willing to produce a patch, consider writing it > against trunk, which will require Java 8 so won't need the reflection. If we > decide to back-port to Tomcat 8, the reflection can be re-introduced. Ok. I will attach patch for Tomcat 9. As you suggested: 1. Parameter name is useServerCipherSuitesOrder insted of useCipherSuitesOrder. 2. Code is deduplicated / moved to superclass. To test it: (1) Install JDK 1.8.0 (2) Install Java 8 JCE Unlimited Strength (3) Apply patch, build Tomcat (4) Add JSSE Connector configuration to server.xml: (5) Start Tomcat. Forward Secrecy is enabled (on all clients that support it) To test with NIO2, just replace Http11NioProtocol with Http11Nio2Protocol. -Ognjen -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #14 from Christopher Schultz --- Ognjen, if you are still willing to produce a patch, consider writing it against trunk, which will require Java 8 so won't need the reflection. If we decide to back-port to Tomcat 8, the reflection can be re-introduced. Are you still able to update the patch? (In reply to Ralf Hauser from comment #13) > Please implement this feature also for non-APR connectors A.S.A.P. - I think > it is even worthwhile to backport to Tomcat 7! This enhancement request is specifically targeted towards the non-APR connectors. The APR connector already supports this capability via the SSLHonorCipherOrder setting. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #13 from Ralf Hauser --- getting as many clients to choose a forward-secret cipher even if their makers didn't think of putting forward-secret ciphers highest priority is important in today's world of massive eaves-dropping. Please implement this feature also for non-APR connectors A.S.A.P. - I think it is even worthwhile to backport to Tomcat 7! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 Neale Rudd changed: What|Removed |Added CC||ne...@metawerx.net -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 Jens Borgland changed: What|Removed |Added CC||jens.borgl...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #12 from Christopher Schultz --- (In reply to Ognjen Blagojevic from comment #4) > No objections. Do I need to provide a new patch with the name you proposed? If you like my suggestions above, you could make all 3 changes at once and propose a new patch. That would be nice ;) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 --- Comment #11 from Christopher Schultz --- Ognjen, I have a couple of further comments about your proposed patch. I'm leaning towards adding this to Tomcat 8 but not back-porting unless there is significant demand. 1. Most of the 2 configureUseCipherSuitesOrder methods is the same. Consider re-factoring the bulk of that method into a superclass utility method and then extract the SSLParameters object from either SSLEngine or Socket in the subclasses. 2. Since this is a security-related configuration, consider failing totally when server-side ordering is requested but can't be enforced -- e.g. the reflection fails for any reason. You have it logging a warning but continuing which I think isn't appropriate in this case. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 Christopher Schultz changed: What|Removed |Added Summary|Add parameter |Add parameter |useCipherSuitesOrder to |useCipherSuitesOrder to |JSSE (BIO and NIO) |JSSE (BIO and NIO) |connectors |connectors [PATCH] -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org