Tomcat encryption algorithms
Hi, As far as I know, the only encryption implemented by Tomcat itself is SSL. But I need to know what exactly algorithms have been implemented and distributed with the binary from Apache Tomcat 5.X and 6. To my understanding, Tomcat relies on the JVM or JCE installed on the user's machine to implement SSL, which implies Tomcat doesn't ship any cryptographic algorithms but only implements SSL protocol. On the other hand, from the Legal page Tomcat is classified as 5D002, strong cryptography. This implies Tomcat does contain (and thus ships with) encryption implementation. And I need to know what exactly algorithms are implemented. Please reply to me at justine.s...@sap.commailto:justine.s...@sap.com Thank you very much! Justine
Re: Tomcat encryption algorithms
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justine, On 1/20/2010 1:52 PM, Shan, Justine wrote: As far as I know, the only encryption implemented by Tomcat itself is SSL. SSL is a strategy of securely transmitting data, which uses encryption. Technically speaking, Tomcat does not /implement/ SSL, but rather uses the JVM's SSL libraries to provide HTTP over SSL. But I need to know what exactly algorithms have been implemented and distributed with the binary from Apache Tomcat 5.X and 6. Tomcat does not ship with any cryptographic algorithms. To my understanding, Tomcat relies on the JVM or JCE installed on the user's machine to implement SSL, which implies Tomcat doesn't ship any cryptographic algorithms but only implements SSL protocol. Correct. On the other hand, from the Legal page Tomcat is classified as 5D002, strong cryptography. Would you care to provide a reference? I can find none of the following strings on the Legal page for Tomcat (http://tomcat.apache.org/legal.html): crypt, 5D002, classif, or anything like that. This implies Tomcat does contain (and thus ships with) encryption implementation. And I need to know what exactly algorithms are implemented. Again, none are implemented: everything is implemented by the JRE/JVM or a 3rd-party library, if you choose to install and configure one (such as Bouncy Castle... I'm sure there are others). If you just want to know which algorithms are available to your JDK, you can write a bit of code to dump-out that information, but it depends entirely on your environment. Tomcat also allows you to use OpenSSL as an SSL provider (using the APR native library) which may provide a different set of encryption algorithms to Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktXVRAACgkQ9CaO5/Lv0PBorwCgprlSVdu1ly0DWdpvA8PS2nZV 61MAoII8HcPJ2nTTCSTflA3Ic3q2PSRb =Xnhn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat encryption algorithms
From: Shan, Justine [mailto:justine.s...@sap.com] Subject: Tomcat encryption algorithms But I need to know what exactly algorithms have been implemented and distributed with the binary from Apache Tomcat 5.X and 6. That's easy: none. Tomcat uses whatever algorithms are installed with the JVM it's using. On the other hand, from the Legal page Tomcat is classified as 5D002, strong cryptography. What Legal page is that? Certainly not the one on the Tomcat web site. Please reply to me at justine.s...@sap.commailto:justine.s...@sap.com No. All inquiries and responses should be to the mailing list, not offline. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat encryption algorithms
Thank you so much for the answer! Regarding the classification, please see the link below: http://www.apache.org/licenses/exports/ scroll down to the product Apache Tomcat. It says it's 5D002. I also reached to Apache Legal to verify but haven't heard anything back. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, January 20, 2010 11:10 AM To: Tomcat Users List Subject: Re: Tomcat encryption algorithms -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justine, On 1/20/2010 1:52 PM, Shan, Justine wrote: As far as I know, the only encryption implemented by Tomcat itself is SSL. SSL is a strategy of securely transmitting data, which uses encryption. Technically speaking, Tomcat does not /implement/ SSL, but rather uses the JVM's SSL libraries to provide HTTP over SSL. But I need to know what exactly algorithms have been implemented and distributed with the binary from Apache Tomcat 5.X and 6. Tomcat does not ship with any cryptographic algorithms. To my understanding, Tomcat relies on the JVM or JCE installed on the user's machine to implement SSL, which implies Tomcat doesn't ship any cryptographic algorithms but only implements SSL protocol. Correct. On the other hand, from the Legal page Tomcat is classified as 5D002, strong cryptography. Would you care to provide a reference? I can find none of the following strings on the Legal page for Tomcat (http://tomcat.apache.org/legal.html): crypt, 5D002, classif, or anything like that. This implies Tomcat does contain (and thus ships with) encryption implementation. And I need to know what exactly algorithms are implemented. Again, none are implemented: everything is implemented by the JRE/JVM or a 3rd-party library, if you choose to install and configure one (such as Bouncy Castle... I'm sure there are others). If you just want to know which algorithms are available to your JDK, you can write a bit of code to dump-out that information, but it depends entirely on your environment. Tomcat also allows you to use OpenSSL as an SSL provider (using the APR native library) which may provide a different set of encryption algorithms to Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktXVRAACgkQ9CaO5/Lv0PBorwCgprlSVdu1ly0DWdpvA8PS2nZV 61MAoII8HcPJ2nTTCSTflA3Ic3q2PSRb =Xnhn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat encryption algorithms
Thanks! Just replied a min ago with the link : http://www.apache.org/licenses/exports/ (scroll down to Apache Tomcat) -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Wednesday, January 20, 2010 11:13 AM To: Tomcat Users List Subject: RE: Tomcat encryption algorithms From: Shan, Justine [mailto:justine.s...@sap.com] Subject: Tomcat encryption algorithms But I need to know what exactly algorithms have been implemented and distributed with the binary from Apache Tomcat 5.X and 6. That's easy: none. Tomcat uses whatever algorithms are installed with the JVM it's using. On the other hand, from the Legal page Tomcat is classified as 5D002, strong cryptography. What Legal page is that? Certainly not the one on the Tomcat web site. Please reply to me at justine.s...@sap.commailto:justine.s...@sap.com No. All inquiries and responses should be to the mailing list, not offline. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat encryption algorithms
From: Shan, Justine [mailto:justine.s...@sap.com] Subject: RE: Tomcat encryption algorithms scroll down to the product Apache Tomcat. It says it's 5D002. Perhaps you missed this part of the explanation of 5D002: Products classified as ECCN 5D002, are exported by the ASF under the TSU exception in EAR 740.13(e), which applies to software containing or *DESIGNED FOR USE WITH* encryption software that is publicly available as open source. [emphasis added] - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Tomcat encryption algorithms
On 20/01/2010 13:52, Shan, Justine wrote: Tomcat is classified as 5D002, strong cryptography. This implies Tomcat does contain (and thus ships with) encryption implementation. No it doesn't. It means quote ASF product distributions that contain or are specially designed to use cryptography /quote Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
