Bug 61803 - Documentation for sslEnabledProtocols describes the incorrect way to set this option
Summary: Documentation for sslEnabledProtocols describes the incorrect way to set this...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 8.5.23
Hardware: All All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-23 03:40 UTC by Simon Dawson
Modified: 2017-11-23 14:39 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Dawson 2017-11-23 03:40:09 UTC
In webapps/docs/security-howto.xml the following documentation is provided for
the sslEnabledProtocols option.

304       <p>The <strong>sslEnabledProtocols</strong> attribute determines which
305       versions of the SSL/TLS protocol are used.  Since the POODLE attack in
306       2014, all SSL protocols are considered unsafe and a secure setting for
307       this attribute in a standalone Tomcat setup might be
308       <code>sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"</code></p>

This documentation also includes an example of setting this option.

When this is syntax is used you get the following warning text printed into
the log.

WARN - The protocol [TLSv1.1] was added to the list of protocols on the 
SSLHostConfig named [_default_]. Check if a +/- prefix is missing.

Inside org/apache/tomcat/util/net/SSLHostConfig.java there is a comment describing
the expected format for this options and how its parsed.

441         // List of protocol names, separated by ",", "+" or "-".
442         // Semantics is adding ("+") or removing ("-") from left
443         // to right, starting with an empty protocol set.
444         // Tokens are individual protocol names or "all" for a
445         // default set of supported protocols.
446         // Separator "," is only kept for compatibility and has the
447         // same semantics as "+", except that it warns about a potentially
448         // missing "+" or "-".

I've never written a patch before but I'm keen to assist if I can get some guidance.
Comment 1 Simon Dawson 2017-11-23 03:57:48 UTC
Here is the original patch that changed this for version 8.
https://svn.apache.org/viewvc?view=revision&revision=1681779

It did include some documentation updates but not to sslEnabledProtocols.
Comment 2 Remy Maucherat 2017-11-23 14:39:43 UTC
After a review, this section of the security howto doc is outdated and it can be removed.

Fixed in:
- trunk for 9.0.2 onwards
- 8.5.x for 8.5.24 onwards
- 8.0.x for 8.0.48 onwards
- 7.0.x for 7.0.83 onwards
(thanks to Mark for the cut and paste :) )