updated with jmagne's comments mainly on adding some error checking.

Also, rrelyea added the following NSS information regarding the now obsolete old (obsolete) ssl version enable functions so we know what to expect (I will add that to the bug):
At the NSS level:

There is only range now. We added range before we added TLS 1.1. So the old code was SSL2 on/off SSL3 on/off, and TLS 1.0 on/off. Now we have TLS_range 0 = ssl3, 1=tls 1.0, 2=tls 1.1, 3=tls 1.2 (SSL2 is still on/off). The old functions that turned on ciphers still operate, but they work by extending the range. If TLS 1.1, and tls 1.2 are turned off, then it all works the same way it did before (the range is ssl3-tls.10). If tls 1.1 is on, though, now turning on ssl3 will also turn on tls 1.0 as a side effect. You can't turn on just ssl 3.0 and TLS 1.2, for example. If your old sslOptions have tls 1.1 or tls 1.2 as options, you wont' be able to turn them on in NSS without invoking a range.


On 09/29/2014 11:32 AM, Christina Fu wrote:
This tomcatjss patch is for the following bug:
Bug 871171 - Provide Tomcat support for TLS v1.1 and TLS v1.2 (Tomcatjss)

It provides the minimum code to support setting the ssl version range from tomcatjss server.
The tlsv1.1 and 1.2 ciphers are made available as well.

This patch works in conjunction with the JSS patch that was sent out for review.

Three are three new variables introduced in the server.xml :
sslVersionRangeStream - for stream protocol type.  it takes a format of "min:max" where min/max values can be "ssl3, tls1_0, tls1_1, or tls1_2"
sslVersionRangeDatagram - for datagram protocol type.
it takes a format of "min:max" where min/max values can be "tls1_1, or tls1_2"
sslRangeCiphers - a complete list of ciphers you wish to support (provided supported by NSS) in such ssl version range.

When the new *range* parameters are set, the old sslOptions parameter is ignored, as it is obsolete.  However, if the *range* parameters are not specified, the sslOptions will be supported as before.


Pki-devel mailing list