updated with jmagne's comments mainly on adding some error checking.
Also, rrelyea added the following NSS information regarding the now
obsolete old (obsolete) ssl version enable functions so we know what to
expect (I will add that to the bug):
"
At the NSS level:
There is only range now. We added range before we added TLS 1.1. So the
old code was SSL2 on/off SSL3 on/off, and TLS 1.0 on/off. Now we have
TLS_range 0 = ssl3, 1=tls 1.0, 2=tls 1.1, 3=tls 1.2 (SSL2 is still
on/off). The old functions that turned on ciphers still operate, but
they work by extending the range. If TLS 1.1, and tls 1.2 are turned
off, then it all works the same way it did before (the range is
ssl3-tls.10). If tls 1.1 is on, though, now turning on ssl3 will also
turn on tls 1.0 as a side effect. You can't turn on just ssl 3.0 and TLS
1.2, for example. If your old sslOptions have tls 1.1 or tls 1.2 as
options, you wont' be able to turn them on in NSS without invoking a range.
"
thanks,
Christina
On 09/29/2014 11:32 AM, Christina Fu wrote:
This tomcatjss patch is for the following bug:
*Bug 871171* <
https://bugzilla.redhat.com/show_bug.cgi?id=871171>
-Provide Tomcat support for TLS v1.1 and TLS v1.2 (Tomcatjss)
It provides the minimum code to support setting the ssl version range
from tomcatjss server.
The tlsv1.1 and 1.2 ciphers are made available as well.
This patch works in conjunction with the JSS patch that was sent out
for review.
Three are three new variables introduced in the server.xml :
sslVersionRangeStream - for stream protocol type. it takes a format
of "min:max" where min/max values can be "ssl3, tls1_0, tls1_1, or
tls1_2"
sslVersionRangeDatagram - for datagram protocol type. it takes a
format of "min:max" where min/max values can be "tls1_1, or tls1_2"
sslRangeCiphers - a complete list of ciphers you wish to support
(provided supported by NSS) in such ssl version range.
When the new *range* parameters are set, the old sslOptions parameter
is ignored, as it is obsolete. However, if the *range* parameters are
not specified, the sslOptions will be supported as before.
thanks,
Christina
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel