Bug 53344 - Cannot use SSLv3+TLSv1 in Http11AprProtocol
Summary: Cannot use SSLv3+TLSv1 in Http11AprProtocol
Status: RESOLVED DUPLICATE of bug 51477
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 6.0.35
Hardware: All All
: P2 major (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2012-06-01 11:34 UTC by Michael Osipov
Modified: 2012-06-01 12:18 UTC (History)
0 users

Patched AprEndpoint with SSLv3+TLSv1 parallel support (820 bytes, patch)
2012-06-01 11:34 UTC, Michael Osipov
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Osipov 2012-06-01 11:34:09 UTC
The SSLProtocol parameter does not allow the combination of SSLv3+TLSv1 which is actually highly preferred. The underlying libtcnative supports that (since 1.1.21: Support arbitrary protocol combinations of SSLv2, SSLv3 and TLSv1. (rjung)) though. APR supports that anyway.

Please add support to use both of them. I have created a patch to make that work. Documentation has to be adapted accordingly.
A sslcan on the Tomcat servers shows full support from APR and OpenSSL:

$ sslscan <host>:18443 | grep Accepted
    Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Accepted  SSLv3  256 bits  ADH-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Accepted  SSLv3  128 bits  ADH-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  ADH-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
Comment 1 Michael Osipov 2012-06-01 11:34:51 UTC
Created attachment 28870 [details]
Patched AprEndpoint with SSLv3+TLSv1 parallel support
Comment 2 Konstantin Kolinko 2012-06-01 12:18:09 UTC
This feature has already been implemented (will be in 6.0.36)

Hint: links to changelog pages are gathered on this page:

*** This bug has been marked as a duplicate of bug 51477 ***