-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 George,
On 6/24/15 11:31 AM, George Stanchev wrote: > (Apologies for top posting, I cannot find a way to switch to ">" > quote for Outook) No problem. > Having an utility is interesting idea but it will not address the > regular expression rules that OpenSSL support. For example, I was > porting Mozilla's Server Side TLS ciphers [1] to our 7.0.62 the > other day and at the end you have: > > "...:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:! aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" > > > So after mapping all the explicit ones before, I had to go and look > for rest of AES suites, then exclude the export suites, ignore the > RC4s, etc, etc.I did it, kinda but it was pain in the neck and it > is really not the same rule list. > > Can you point me to the code where 8 and the trunk deal with this? > It is not really that big of a deal to not have it since once you > set your list you don't touch it until the next security scare, but > since it is security related, I thought it would benefit people to > be able to have more flexibility on the cipher definitions and > might be worth backporting. You are looking for org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser There are some related files (like Cipher.java), but start in that class right there. I think a simple driver class could take an OpenSSL-style cipher string and dump-out the JSSE-compatible (expanded) cipher suites string. - -chris > > Regards, George > > [1] > https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compati bility_.28default.29 > > > - -----Original Message----- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: Wednesday, June 24, > 2015 8:37 AM To: Tomcat Users List Subject: Re: > useServerCipherSuitesOrder in 7.0.62 > > George, > > On 6/15/15 10:08 AM, George Stanchev wrote: >> Is there any chance for the OpenSSL-style ciphers to be >> backported to the 7 release line? > > I'm not sure. The biggest problem with the OpenSSL-style ciphers > is maintaining the mapping, which might change with every release > of Java and/or OpenSSL. Maintaining it in Tomcat's trunk and 8 is > already double the work... adding Tomcat 7 is even more work. > > I think what might make sense is to wrap a command-line program > around the trunk/8.0.x utility that does the mapping to build > something like OpenSSL's "ciphers" command, but that dumps-out > JSSE-style cipher suites . > > Then that could be used independently of any version of Tomcat for > those versions that don't directly-support the openssl-style > cipher suites configuration. > > What do you think? > > Another possibility would be to maintain the mapping somewhere > other than code (where it currently is), and then share that > mapping between the various versions, perhaps using svn external > links. Then the maping gets updated in a single place and all > supporting versions of Tomcat can pick it up. > > I'll defer to markt who mostly wrote the OpenSSL-JSSE bridge code > to decide if that might work. > > -chris > >> -----Original Message----- From: George Stanchev >> [mailto:gstanc...@serena.com] Sent: Saturday, June 13, 2015 >> 11:41 AM To: Tomcat Users List Subject: RE: >> useServerCipherSuitesOrder in 7.0.62 > >> Thanks Konstantin, > >> I apologize for the shortsightness. I guess I must have had a >> space in the search dialog. Thanks for the answers! > >> Cheers, > >> George > >> -----Original Message----- From: Konstantin Kolinko >> [mailto:knst.koli...@gmail.com] Sent: Saturday, June 13, 2015 >> 7:26 AM To: Tomcat Users List Subject: Re: >> useServerCipherSuitesOrder in 7.0.62 > >> 2015-06-13 15:36 GMT+03:00 George Stanchev >> <gstanc...@serena.com>: >>> Hi, >>> >>> I was looking at [1] and it looks the new attribute is >>> available in 7.0.61 onwards as per Violeta's comment. However I >>> cannot find this new attribute in the HTTP connector >>> documentation [2] nor the changelog [3]. Can someone confirm or >>> deny the availability of this attribute >>> (useServerCipherSuitesOrder) in Tomcat 7.0.62. > > >> #55988 [1] is mentioned in the changelog, twice (7.0.61, >> 7.0.60). > >> "useServerCipherSuitesOrder" is mentioned in [2] (in "SSL Support >> - BIO and NIO" section). > >> Note that this feature requires running with Java 8. > > >>> As a follow up question, I seem to remember that 8.0.latest >>> supports OpenSSL-style list for the HTTP connector "ciphers" >>> attribute. Does 7.0.62 also support this or it wasn't >>> backported? > > >> It was not backported. > >> Relevant classes are in package >> org.apache.tomcat.util.net.jsse.openssl: > >> OpenSSLCipherConfigurationParser etc. > >>> >>> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55988 [2] >>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html [3] >>> https://tomcat.apache.org/tomcat-7.0-doc/changelog.html > >> Best regards, Konstantin Kolinko > >> --------------------------------------------------------------------- > >> >> > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> --------------------------------------------------------------------- > >> >> > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVitL8AAoJEBzwKT+lPKRY1ekQAMZYTBrATjA//wmpXXhWBNuq QiRkJglrFM5iWY77BL8G4t5943bGhd9QN5D7tK2aNuRFjdaA9XnjkKF0nvLX+w33 2pZLx7X4sbW307fetNB8SHdZtrz5LD50x6aQCMPw0Ba0mrf3e3RTnEhFI4J14iYx nFxLFtyocOtS32NbPfpNn3JAabHgFmeGZkGAOvixdKk4daIgQBC3TU/HPFh8gyow 0fMuSrpOl+BYxMpddyohitgOcKgbOtANx/rnbp0Gyl7/Z+xEB4GwsoY3s/dFWTNU BmLbmLQprHlJ/UdmN5ar7DOpE6h73u1vypKyJTEEYZ/aGD0vZ5kQhV8m02HhLxoU xSYYDMYG/6Sr4IAUWCtj0McdCXtenkDvVlMLrstrB63WsHruKfz9JKnggdbCI4EI OkSB/0MhVqefSzGN0DkjOyTkZvMBD+1nHwm+3S6lXtn4FWmJ2TTKBqymr8XxUH3y ZKj/BWvEBzkCB8xSAUq1Wzych2yvG2uwhjE93F1s8lE5J7/FiXmIxumMRDWRwAiQ PJ4uK63nT66OR5gqMz/hesmTWVo0P5/B3nqzGV4pXkhn/gR4ZjcZ9a2tT++iZ8zT wXvtN+g+cOPedD+Q6Wia1EWNx0OtAp5SUHRD2Th7j434AAZee5ud9QQzqBdngqhr sxKbW2VDRqmjJTDCQmWF =17op -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
