Bug 55537 - add support for TLS1.1 and TLS1.2 excluding TLS1.0 (BEAST attack)
Summary: add support for TLS1.1 and TLS1.2 excluding TLS1.0 (BEAST attack)
Status: RESOLVED INVALID
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Connectors (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-08 22:08 UTC by Ralf Hauser
Modified: 2013-09-09 09:31 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Hauser 2013-09-08 22:08:46 UTC 
see also Bug 53952 for native.

In http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL%20Support, the "sslProtocol" attribute would have to be String[], i.e. e.g. comma separated protocol list


currently, TLSv1.2 can be put there, but it doesn't appear to have a limiting effect on TLSv1.0

http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext  

https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Comment 1 Ognjen Blagojevic 2013-09-09 07:00:29 UTC 
(In reply to Ralf Hauser from comment #0)
> In http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL%20Support,
> the "sslProtocol" attribute would have to be String[], i.e. e.g. comma
> separated protocol list

You created bug for Tomcat 7, but you are quoting Tomcat 6 docs.

HTTPS connector in Tomcat 7 has attribute sslEnabledProtocols by which you may specify only desired protocols, e.g. TLS 1.1 and TLS 1.2.

The same attribute in Tomcat 6 is called "protocols", but it is undocumented. Take a look at the bug 54691.
Comment 2 Ralf Hauser 2013-09-09 09:31:19 UTC 
Cool, this makes
https://www.ssllabs.com/ssltest/analyze.html?d=mysite.tld
happy except for the renegotiation (bug 55536)
but firefox cannot connect anymore...