Problem enabling SSLv3 in Tomcat 8.5.15

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problem enabling SSLv3 in Tomcat 8.5.15

Marc Dorsa
Hi Tomcat Users,

I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 3rd-party component of our product requires SSLv3 and there's no getting around it!)  Our Tomcat is running on a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131.  Note that I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled when running our existing Tomcat 7.0.47.  My guess is that I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig element to include "SSLv3" should do the job.

Thank you in advance for any help offered!
Marc

----------------------------------------------
Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
    <Service name="Tomcat-Standalone">
        <Connector  port="80" protocol="HTTP/1.1" enableLookups="false" redirectPort="443" server=" "
             acceptCount="100" connectionTimeout="660000" disableUploadTimeout="true" />
        <Connector  port="443" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="false" acceptCount="100"
                  scheme="https" secure="true" connectionTimeout="660000" disableUploadTimeout="true" server=" "
                 ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WIT
H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA"
              clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/.keystore" >
        </Connector>
        <Engine name="Standalone" defaultHost="MyHostName">
            <Host     name="MyHostName" appBase="webapps"
                unpackWARs="true" autoDeploy="true">
                <Context path="" docBase="ROOT" allowLinking="true">
                    <Resources className="org.apache.naming.resources.FileDirContext" allowLinking="true" docBase="" />
                </Context>
            </Host>
        </Engine>
    </Service>
</Server>

Here are the scan results showing that SSLv3 is indeed enabled (and our 3rd-party component works correctly):
# ./cipherscan MyHostName:443
prio  ciphersuite           protocols                    pfs_keysize
1     DHE-DSS-AES128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
2     EDH-DSS-DES-CBC3-SHA  SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits

----------------------------------------------
And here is the server.xml file that, unfortunately, does *not* enable SSLv3 for Tomcat 8.5.15:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
    <Service name="Tomcat-Standalone">
        <Connector  port="80" protocol="HTTP/1.1" enableLookups="false" redirectPort="443" server=" "
             acceptCount="100" connectionTimeout="660000" disableUploadTimeout="true" />
        <Connector  port="443" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="false" acceptCount="100"
                  scheme="https" secure="true" connectionTimeout="660000" disableUploadTimeout="true" server=" ">
                <SSLHostConfig protocols="+SSLv3, +TLSv1, +TLSv1.1, +TLSv1.2" ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA">
                        <Certificate certificateKeystoreFile="/etc/.keystore" certificateKeystoreType="JKS" certificateKeystorePassword="changeit" />
                </SSLHostConfig>

        </Connector>
        <Engine name="Standalone" defaultHost="MyHostName">
            <Host     name="MyHostName" appBase="webapps"
                unpackWARs="true" autoDeploy="true">
                <Context path="" docBase="ROOT">
                    <Resources allowLinking="true" />
                </Context>
            </Host>
        </Engine>
    </Service>
</Server>

Here are the scan results showing that SSLv3 is *not* enabled (and our 3rd-party component does *not* work):
# ./cipherscan MyHostName:443
prio  ciphersuite           protocols              pfs_keysize
1     DHE-DSS-AES128-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
2     EDH-DSS-DES-CBC3-SHA  TLSv1,TLSv1.1,TLSv1.2  DH,2048bits

Here is Tomcat's logging at startup (notice the SSLv3 warning):
..
Tomcat started.
-sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-nio-80"]
Jun 20, 2017 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector
INFO: Using a shared selector for servlet write/read
Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["https-jsse-nio-443"]
Jun 20, 2017 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled
WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[SSLv3]]
..


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem enabling SSLv3 in Tomcat 8.5.15

Mark Eggers
Marc,

On 6/20/2017 4:34 PM, Marc Dorsa wrote:

> Hi Tomcat Users,
>
> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 3rd-party component of our product requires SSLv3 and there's no getting around it!)  Our Tomcat is running on a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131.  Note that I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled when running our existing Tomcat 7.0.47.  My guess is that I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig element to include "SSLv3" should do the job.
>
> Thank you in advance for any help offered!
> Marc
>
> ----------------------------------------------
> Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47:
> <?xml version='1.0' encoding='utf-8'?>
> <Server port="8005" shutdown="SHUTDOWN">
>     <Service name="Tomcat-Standalone">
>         <Connector  port="80" protocol="HTTP/1.1" enableLookups="false" redirectPort="443" server=" "
>              acceptCount="100" connectionTimeout="660000" disableUploadTimeout="true" />
>         <Connector  port="443" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="false" acceptCount="100"
>                   scheme="https" secure="true" connectionTimeout="660000" disableUploadTimeout="true" server=" "
>                  ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WIT
> H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA"
>               clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/.keystore" >
>         </Connector>
>         <Engine name="Standalone" defaultHost="MyHostName">
>             <Host     name="MyHostName" appBase="webapps"
>                 unpackWARs="true" autoDeploy="true">
>                 <Context path="" docBase="ROOT" allowLinking="true">
>                     <Resources className="org.apache.naming.resources.FileDirContext" allowLinking="true" docBase="" />
>                 </Context>
>             </Host>
>         </Engine>
>     </Service>
> </Server>
>
> Here are the scan results showing that SSLv3 is indeed enabled (and our 3rd-party component works correctly):
> # ./cipherscan MyHostName:443
> prio  ciphersuite           protocols                    pfs_keysize
> 1     DHE-DSS-AES128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
> 2     EDH-DSS-DES-CBC3-SHA  SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
>
> ----------------------------------------------
> And here is the server.xml file that, unfortunately, does *not* enable SSLv3 for Tomcat 8.5.15:
> <?xml version='1.0' encoding='utf-8'?>
> <Server port="8005" shutdown="SHUTDOWN">
>     <Service name="Tomcat-Standalone">
>         <Connector  port="80" protocol="HTTP/1.1" enableLookups="false" redirectPort="443" server=" "
>              acceptCount="100" connectionTimeout="660000" disableUploadTimeout="true" />
>         <Connector  port="443" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="false" acceptCount="100"
>                   scheme="https" secure="true" connectionTimeout="660000" disableUploadTimeout="true" server=" ">
>                 <SSLHostConfig protocols="+SSLv3, +TLSv1, +TLSv1.1, +TLSv1.2" ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA">
>                         <Certificate certificateKeystoreFile="/etc/.keystore" certificateKeystoreType="JKS" certificateKeystorePassword="changeit" />
>                 </SSLHostConfig>
>
>         </Connector>
>         <Engine name="Standalone" defaultHost="MyHostName">
>             <Host     name="MyHostName" appBase="webapps"
>                 unpackWARs="true" autoDeploy="true">
>                 <Context path="" docBase="ROOT">
>                     <Resources allowLinking="true" />
>                 </Context>
>             </Host>
>         </Engine>
>     </Service>
> </Server>
>
> Here are the scan results showing that SSLv3 is *not* enabled (and our 3rd-party component does *not* work):
> # ./cipherscan MyHostName:443
> prio  ciphersuite           protocols              pfs_keysize
> 1     DHE-DSS-AES128-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
> 2     EDH-DSS-DES-CBC3-SHA  TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
>
> Here is Tomcat's logging at startup (notice the SSLv3 warning):
> ..
> Tomcat started.
> -sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-nio-80"]
> Jun 20, 2017 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector
> INFO: Using a shared selector for servlet write/read
> Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["https-jsse-nio-443"]
> Jun 20, 2017 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled
> WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[SSLv3]]
> ..
I've not done this so I'm sure that someone will quickly correct me if
I'm wrong. I'm basing my answer from the following mailing list thread:

http://marc.info/?t=149330464700008&r=1&w=2

It seems from the logs that you are using the https-jsse-nio connector.
It appears that you should list all of your desired protocols with a
plus separating them (and no comma).

Something like this (if I'm reading Mark Thomas's answer correctly):

protocols="+SSLv3+TLSv1+TLSv1.1+TLSv1.2"

Again, if I'm misreading the thread (and the question), I hope to be
corrected shortly.

However, read the thread above and see if that doesn't solve your problem.

. . . just my two cents
/mde/


signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Problem enabling SSLv3 in Tomcat 8.5.15

Marc Dorsa
In reply to this post by Marc Dorsa
On 6/20/2017 4:34 PM, Marc Dorsa wrote:

> Hi Tomcat Users,
>
> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 3rd-party component of our product requires SSLv3 and there's no getting around it!)  Our Tomcat is running on a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131.  Note that I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled when running our existing Tomcat 7.0.47.  My guess is that I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig element to include "SSLv3" should do the job.
>
> Thank you in advance for any help offered!
> Marc
>
> ----------------------------------------------
> Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47:
> <?xml version='1.0' encoding='utf-8'?> <Server port="8005"
> shutdown="SHUTDOWN">
>     <Service name="Tomcat-Standalone">
>         <Connector  port="80" protocol="HTTP/1.1" enableLookups="false" redirectPort="443" server=" "
>              acceptCount="100" connectionTimeout="660000" disableUploadTimeout="true" />
>         <Connector  port="443" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="false" acceptCount="100"
>                   scheme="https" secure="true" connectionTimeout="660000" disableUploadTimeout="true" server=" "
>                  ciphers="SSL_RSA_WITH_RC4_128_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WIT H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA"
>               clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/.keystore" >
>         </Connector>
>         <Engine name="Standalone" defaultHost="MyHostName">
>             <Host     name="MyHostName" appBase="webapps"
>                 unpackWARs="true" autoDeploy="true">
>                 <Context path="" docBase="ROOT" allowLinking="true">
>                     <Resources className="org.apache.naming.resources.FileDirContext" allowLinking="true" docBase="" />
>                 </Context>
>             </Host>
>         </Engine>
>     </Service>
> </Server>
>
> Here are the scan results showing that SSLv3 is indeed enabled (and our 3rd-party component works correctly):
> # ./cipherscan MyHostName:443
> prio  ciphersuite           protocols                    pfs_keysize
> 1     DHE-DSS-AES128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
> 2     EDH-DSS-DES-CBC3-SHA  SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
>
> ----------------------------------------------
> And here is the server.xml file that, unfortunately, does *not* enable SSLv3 for Tomcat 8.5.15:
> <?xml version='1.0' encoding='utf-8'?> <Server port="8005"
> shutdown="SHUTDOWN">
>     <Service name="Tomcat-Standalone">
>         <Connector  port="80" protocol="HTTP/1.1" enableLookups="false" redirectPort="443" server=" "
>              acceptCount="100" connectionTimeout="660000" disableUploadTimeout="true" />
>         <Connector  port="443" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="false" acceptCount="100"
>                   scheme="https" secure="true" connectionTimeout="660000" disableUploadTimeout="true" server=" ">
>                 <SSLHostConfig protocols="+SSLv3, +TLSv1, +TLSv1.1, +TLSv1.2" ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA">
>                         <Certificate certificateKeystoreFile="/etc/.keystore" certificateKeystoreType="JKS" certificateKeystorePassword="changeit" />
>                 </SSLHostConfig>
>
>         </Connector>
>         <Engine name="Standalone" defaultHost="MyHostName">
>             <Host     name="MyHostName" appBase="webapps"
>                 unpackWARs="true" autoDeploy="true">
>                 <Context path="" docBase="ROOT">
>                     <Resources allowLinking="true" />
>                 </Context>
>             </Host>
>         </Engine>
>     </Service>
> </Server>
>
> Here are the scan results showing that SSLv3 is *not* enabled (and our 3rd-party component does *not* work):
> # ./cipherscan MyHostName:443
> prio  ciphersuite           protocols              pfs_keysize
> 1     DHE-DSS-AES128-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
> 2     EDH-DSS-DES-CBC3-SHA  TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
>
> Here is Tomcat's logging at startup (notice the SSLv3 warning):
> ..
> Tomcat started.
> -sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol
> init
> INFO: Initializing ProtocolHandler ["http-nio-80"] Jun 20, 2017
> 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool
> getSharedSelector
> INFO: Using a shared selector for servlet write/read Jun 20, 2017
> 3:38:06 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["https-jsse-nio-443"] Jun 20, 2017
> 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled
> WARNING: Some of the specified [protocols] are not supported by the
> SSL engine and have been skipped: [[SSLv3]] ..

I've not done this so I'm sure that someone will quickly correct me if I'm wrong. I'm basing my answer from the following mailing list thread:

http://marc.info/?t=149330464700008&r=1&w=2

It seems from the logs that you are using the https-jsse-nio connector.
It appears that you should list all of your desired protocols with a plus separating them (and no comma).

Something like this (if I'm reading Mark Thomas's answer correctly):

protocols="+SSLv3+TLSv1+TLSv1.1+TLSv1.2"

Again, if I'm misreading the thread (and the question), I hope to be corrected shortly.

However, read the thread above and see if that doesn't solve your problem.

. . . just my two cents
/mde/

Thanks Mark, but I had already tried that syntax (along with similar variations just in case)...and no dice!
 

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem enabling SSLv3 in Tomcat 8.5.15

markt
In reply to this post by Marc Dorsa
On 21/06/17 00:34, Marc Dorsa wrote:
> Hi Tomcat Users,
>
> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 3rd-party component of our product requires SSLv3 and there's no getting around it!)  Our Tomcat is running on a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131.  Note that I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled when running our existing Tomcat 7.0.47.  My guess is that I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig element to include "SSLv3" should do the job.
>
> Thank you in advance for any help offered!

8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3.

The docs need to be updated to reflect that. Also the migration guide.

I've done some svn archaeology and this change was introduced during the
refactoring that added support for SNI, ALPN and multiple certificates.
Originally, the removal of SSLv2 and SSLv3 was only for the default
protocols (as it currently is in 8.0.x and earlier). During the
refactoring, the filtering effectively switched to applying to the
supported protocols.

A warning is logged during start-up that an unsupported protocol has
been requested.

Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM
used also supports it.

Given the inherent insecurities in SSLv3, I don't like the message
re-enabling sends. On the other hand, it drives me mad when software
blocks something because it thinks it knows best rather then letting me
judge the risk and make the decision for myself.

I'm therefore leaning towards allowing SSLv3 to be requested but logging
a clear warning if it is.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem enabling SSLv3 in Tomcat 8.5.15

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 6/21/17 5:04 AM, Mark Thomas wrote:

> On 21/06/17 00:34, Marc Dorsa wrote:
>> Hi Tomcat Users,
>>
>> I am having a difficult time trying to enable SSLv3 in Tomcat
>> 8.5.15.  (A 3rd-party component of our product requires SSLv3 and
>> there's no getting around it!)  Our Tomcat is running on a custom
>> Linux distribution based on Centos 7, and we're running Java
>> 1.8.0_131.  Note that I've already (and correctly) enabled SSLv3
>> support in the JVM and verified that SSLv3 is correctly enabled
>> when running our existing Tomcat 7.0.47.  My guess is that I have
>> an incorrect server.xml configuration (for Tomcat 8), but the
>> Tomcat documentation
>> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Suppor
t)
>> as I read it, seems to say that simply setting the "protocols"
>> attribute of the SSLHostConfig element to include "SSLv3" should
>> do the job.
>>
>> Thank you in advance for any help offered!
>
> 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3.

It's maybe worth noting that no shipped version of Sun/Oracle Java has
ever implemented SSLv2, but I believe some 3rd-party libraries
have/can support parts of that standard... mostly for probing to see
if it's enabled.

Nobody should have been building OpenSSL with SSLv2 in it for ...
decades, now.

But specific code to always disable SSLv2 is a Good Thing.

> The docs need to be updated to reflect that. Also the migration
> guide.
>
> I've done some svn archaeology and this change was introduced
> during the refactoring that added support for SNI, ALPN and
> multiple certificates. Originally, the removal of SSLv2 and SSLv3
> was only for the default protocols (as it currently is in 8.0.x and
> earlier). During the refactoring, the filtering effectively
> switched to applying to the supported protocols.
>
> A warning is logged during start-up that an unsupported protocol
> has been requested.
>
> Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the
> JVM used also supports it.
>
> Given the inherent insecurities in SSLv3, I don't like the message
> re-enabling sends. On the other hand, it drives me mad when
> software blocks something because it thinks it knows best rather
> then letting me judge the risk and make the decision for myself.
>
> I'm therefore leaning towards allowing SSLv3 to be requested but
> logging a clear warning if it is.

+1

Re-enabling SSLv3 in with a current JVM requires a system property to
be set, anyway, so there are two barriers to re-enabling SSLv3 on a
current-setup. I think it's reasonable to allow people who are willing
to manually re-enable SSLv3 to go ahead and have their insecure
service. :/

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKhWcACgkQHPApP6U8
pFjShw/+Pe5eQ0yqPaX73IswPAiqJX/zehFv8ZUBKjtxJCrzJeCjgJxOAIeP1nSS
v/BGrYY0mHFA3lVad7jI7SGdSN2bWwr4V+4rFadjtJBQ0JqBJBTGm9JJDTQmpwWW
/YeCvqDdwefxtM7eZM2AwrOBT1oWyFROB/dK9beHQ4MHtmlRovrOlLLpQZkNCdIX
svNdTWEHjtXo98YmJUwvvAS5xgrn4pWsaSXpSCBRIpGl5RuS8JTqLoUCTaTYKkGf
TXc9pF65vAjWRNyUuOV8H6JMyKZ2dCyzQl4SixPOwJ2urSiTFlWUcRjCHNU7PnXN
BfCNiyiYmSUZR+qOxu0np6V56je/4HcbBpt7zCd0cjpkxRehw7fnJBNw6I0iL+ei
3PhrubFzJNs5pL7Iue0G29CxZJgLIQIg88dXaqgknGLw8eTCG6mwpwL9jp0ZF1xZ
YyB8K42g5K+VYCb3Eg83eKplmp6F3F/7PQhwMlJn1jUcd+lVZozSIScBOmhyDu8+
pji1Lbc2y8QqqQRmn/V87naqSHdsE/l4+hFYiN6Z015QdiExzRntf33KUxVhoOqB
H+ddK1HoaGF4n1iSXe0AaibwVUCHZGOz/Q6Cbv/+Wean9ZD13o1CXpdKR+2oFxsz
oWQuU0wQKR1q3rCltoO314l0fmH8VcEilI0Wr7zyZ2DJ5HSlPEs=
=kCAy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Problem enabling SSLv3 in Tomcat 8.5.15

Marc Dorsa
In reply to this post by Marc Dorsa
> Hi Tomcat Users,
>
> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 3rd-party component of our product requires SSLv3 and there's no getting around it!)  Our Tomcat is running on a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131.  Note that I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled when running our existing Tomcat 7.0.47.  My guess is that I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig element to include "SSLv3" should do the job.
>
> Thank you in advance for any help offered!

8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3.

The docs need to be updated to reflect that. Also the migration guide.

I've done some svn archaeology and this change was introduced during the
refactoring that added support for SNI, ALPN and multiple certificates.
Originally, the removal of SSLv2 and SSLv3 was only for the default
protocols (as it currently is in 8.0.x and earlier). During the
refactoring, the filtering effectively switched to applying to the
supported protocols.

A warning is logged during start-up that an unsupported protocol has
been requested.

Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM
used also supports it.

Given the inherent insecurities in SSLv3, I don't like the message
re-enabling sends. On the other hand, it drives me mad when software
blocks something because it thinks it knows best rather then letting me
judge the risk and make the decision for myself.

I'm therefore leaning towards allowing SSLv3 to be requested but logging
a clear warning if it is.

Mark
----------------------------------

Thank you Mark for clarifying that SSLv3 is *not* supported (at all) in Tomcat 8.5+.  Wow, if only I had known that (via the Tomcat docs), I could have saved days of research and experimentation. :-(

Marc

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem enabling SSLv3 in Tomcat 8.5.15

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Marc,

On 6/21/17 2:04 PM, Marc Dorsa wrote:
> Thank you Mark for clarifying that SSLv3 is *not* supported (at
> all) in Tomcat 8.5+.  Wow, if only I had known that (via the Tomcat
> docs), I could have saved days of research and experimentation.
> :-(
http://lmgtfy.com/?q=how+to+enable+sslv3+in+tomcat

?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKxt0ACgkQHPApP6U8
pFhNDQ/+Pdih3SXZs00VWITRVuv0ur2qNmF3dZt0IivJZlN+iWteQ2+SjAvZGz/d
z6tFE1ne28RuA7LRZyqsnU96sA5w/Y8AZrEBADQWiYmg9UVJOJAowrJBb63T3PLC
C/j8Yf+65lUdxd1pNiC/WFTSKTRPvA8cAl5+5W+LBDmXujziNLByzHZlKuIJU3vx
GXlFGum5/O0SwZeSvd2pEkaDH+m62adHEwCcYoX/MwBUKOpQqj3XJh/4WjSNIzMX
+pt+wlvkb7VZAG9VSCHft2r6wVx2RaUhVYvKNzMdsRzTt8ASVbTx5TmyRgGegM7W
RUbFyVq2RCSPaUCDZBnvV6XIORPxgPsKaxD+rMGHujeqhowVSPmwqQUYF8Z5PN4C
r4m3g6z/fC4eflNnASRScQuBLAPWgHYJTuz54nNyaDhBV0NRvN1nOUG15ECyG/6o
mGfKjQS91F/839+VGflqQYvJK7IY+CFqpayrGJGX1jKdjE+o8fjnx6y5fdxQuT33
oxklT40hTx7rrRrjY2K897WKhhF8lgEhoQSkuxPuV8+ESFyy6kt3IEMpNBEq/ut5
y43BXkkTdHGvdGTMmnDdBfXybdET8M/f3wWKB+UCsDH4Moe9Imix3/+FEEFRglXr
HhwreIOZzRCVvTFZNKWB0CethD78ga0Z2RWmtC1mBa1AP29bIGg=
=M2zr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Problem enabling SSLv3 in Tomcat 8.5.15

Marc Dorsa
Marc,

On 6/21/17 2:04 PM, Marc Dorsa wrote:
> Thank you Mark for clarifying that SSLv3 is *not* supported (at
> all) in Tomcat 8.5+.  Wow, if only I had known that (via the Tomcat
> docs), I could have saved days of research and experimentation.
> :-(
http://lmgtfy.com/?q=how+to+enable+sslv3+in+tomcat

?

- -chris
-------------------------------------

Hi Chris,

Very funny :) , however, the articles out there on the Web re: this issue (stackoverflow, etc.), including the Tomcat 8.5 docs, all suggest fairly simple steps to enable SSLv3 in Tomcat (after first enabling it in the Java 8 JVM). I didn't see any information or comments stating that SSLv3 was permanently *disabled* starting with Tomcat 8.5 (as Mark Thomas just suggested).   If you believe what I just stated is not correct, please clue me in!

Thanks,
Marc

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem enabling SSLv3 in Tomcat 8.5.15

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Marc,

On 6/21/17 3:30 PM, Marc Dorsa wrote:

> Marc,
>
> On 6/21/17 2:04 PM, Marc Dorsa wrote:
>> Thank you Mark for clarifying that SSLv3 is *not* supported (at
>> all) in Tomcat 8.5+.  Wow, if only I had known that (via the
>> Tomcat docs), I could have saved days of research and
>> experimentation. :-(
> http://lmgtfy.com/?q=how+to+enable+sslv3+in+tomcat
>
> ?
>
> - -chris -------------------------------------
>
> Hi Chris,
>
> Very funny :) , however, the articles out there on the Web re:
> this issue (stackoverflow, etc.), including the Tomcat 8.5 docs,
> all suggest fairly simple steps to enable SSLv3 in Tomcat (after
> first enabling it in the Java 8 JVM). I didn't see any information
> or comments stating that SSLv3 was permanently *disabled* starting
> with Tomcat 8.5 (as Mark Thomas just suggested).   If you believe
> what I just stated is not correct, please clue me in!

You're right, but, prior to 8.5 the release, the instructions were
straightforward. Having tried them and finding it not working, you
could have come directly to the users@ mailing list and asked your
question. As you see, we are fairly responsive around here :)

(I'll update my answer on SO to indicate that 8.5 and 9.0 are a little
different right now.)

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKym8ACgkQHPApP6U8
pFiWYRAAjDZSqhFLWi2+eEFgMqzrC+WhK3CznlCtNbtkNiVq6ErxZFCb0MaMGhIl
PEoxpyG7XgG7Dd/VAXYzDO/c6uHq5eSm2rz4ToEkEVSbcgaWV1w1FBN8KV91Eocg
QXN1JEObEQ95Tkgh1Xq8cXe3fRFDdQ+F7qRD+zz7BgrrVhRU9RNrwDrgFWVIXpI5
OoimdN8FHWo6v+BlSTmEayiLslpr7SELy32nPvHwrqIiZbsQaWqtm9uI/6PJ2mFl
vUx0LaEiT2humPLOAUYF6WSeo/bKl6ARbKTKJbo5kWMDN9M76Thqx1/FR3t/AXUl
nPtbc0DlzxAVBJ7PboouCjm32f9OFyR670Psk21aE2JP5VLxy9+4kPAr8FxS4YsR
O3s/ua9GY0B7vfJck0l6qxqygOCc81V5VUM8Vub4bj1HsWqRTbiencMwg0IHyFbm
65In0cn4Y4dvVPFiMEv/ZisCmSI1maalSuyCuql4efmcLUY7OlOEJC7F574ZLV1T
Bsa1msLdRT2RDcLCr7dxGORc+CslUYqrORtz80IlaYX0EiHn0ftrxPDNtbmyzhct
B8HkMxLopFGnoPua7wbuLKY8PNv/a9jfPrSaYzrb2PewP2kntOrDZDdI4JHDfAel
TPigpC5gzk08tgQmSZYqDfO8GVGqt1dV/5DOr3so08ESB/n/kbs=
=7uzS
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Problem enabling SSLv3 in Tomcat 8.5.15

Marc Dorsa
Marc,

On 6/21/17 3:30 PM, Marc Dorsa wrote:

> Marc,
>
> On 6/21/17 2:04 PM, Marc Dorsa wrote:
>> Thank you Mark for clarifying that SSLv3 is *not* supported (at
>> all) in Tomcat 8.5+.  Wow, if only I had known that (via the Tomcat
>> docs), I could have saved days of research and experimentation. :-(
> http://lmgtfy.com/?q=how+to+enable+sslv3+in+tomcat
>
> ?
>
> - -chris -------------------------------------
>
> Hi Chris,
>
> Very funny :) , however, the articles out there on the Web re:
> this issue (stackoverflow, etc.), including the Tomcat 8.5 docs,
> all suggest fairly simple steps to enable SSLv3 in Tomcat (after
> first enabling it in the Java 8 JVM). I didn't see any information
> or comments stating that SSLv3 was permanently *disabled* starting
> with Tomcat 8.5 (as Mark Thomas just suggested).   If you believe
> what I just stated is not correct, please clue me in!

You're right, but, prior to 8.5 the release, the instructions were
straightforward. Having tried them and finding it not working, you
could have come directly to the users@ mailing list and asked your
question. As you see, we are fairly responsive around here :)

(I'll update my answer on SO to indicate that 8.5 and 9.0 are a little
different right now.)

- -chris

Yes indeed. :)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem enabling SSLv3 in Tomcat 8.5.15

markt
In reply to this post by Marc Dorsa
On 21/06/17 19:04, Marc Dorsa wrote:

>> Hi Tomcat Users,
>>
>> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 3rd-party component of our product requires SSLv3 and there's no getting around it!)  Our Tomcat is running on a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131.  Note that I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled when running our existing Tomcat 7.0.47.  My guess is that I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig element to include "SSLv3" should do the job.
>>
>> Thank you in advance for any help offered!
>
> 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3.
>
> The docs need to be updated to reflect that. Also the migration guide.
>
> I've done some svn archaeology and this change was introduced during the
> refactoring that added support for SNI, ALPN and multiple certificates.
> Originally, the removal of SSLv2 and SSLv3 was only for the default
> protocols (as it currently is in 8.0.x and earlier). During the
> refactoring, the filtering effectively switched to applying to the
> supported protocols.
>
> A warning is logged during start-up that an unsupported protocol has
> been requested.
>
> Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM
> used also supports it.
>
> Given the inherent insecurities in SSLv3, I don't like the message
> re-enabling sends. On the other hand, it drives me mad when software
> blocks something because it thinks it knows best rather then letting me
> judge the risk and make the decision for myself.
>
> I'm therefore leaning towards allowing SSLv3 to be requested but logging
> a clear warning if it is.
>
> Mark
> ----------------------------------
>
> Thank you Mark for clarifying that SSLv3 is *not* supported (at all) in Tomcat 8.5+.  Wow, if only I had known that (via the Tomcat docs), I could have saved days of research and experimentation. :-(

SSLv3 will be available (not by default and using it will result in a
warning in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the
releases currently in progress but the next ones in around a month's time).

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Problem enabling SSLv3 in Tomcat 8.5.15

Marc Dorsa
>> Hi Tomcat Users,
>>
>> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 3rd-party component of our product requires SSLv3 and there's no getting around it!)  Our Tomcat is running on a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131.  Note that I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled when running our existing Tomcat 7.0.47.  My guess is that I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig element to include "SSLv3" should do the job.
>>
>> Thank you in advance for any help offered!
>
> 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3.
>
> The docs need to be updated to reflect that. Also the migration guide.
>
> I've done some svn archaeology and this change was introduced during
> the refactoring that added support for SNI, ALPN and multiple certificates.
> Originally, the removal of SSLv2 and SSLv3 was only for the default
> protocols (as it currently is in 8.0.x and earlier). During the
> refactoring, the filtering effectively switched to applying to the
> supported protocols.
>
> A warning is logged during start-up that an unsupported protocol has
> been requested.
>
> Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM
> used also supports it.
>
> Given the inherent insecurities in SSLv3, I don't like the message
> re-enabling sends. On the other hand, it drives me mad when software
> blocks something because it thinks it knows best rather then letting
> me judge the risk and make the decision for myself.
>
> I'm therefore leaning towards allowing SSLv3 to be requested but
> logging a clear warning if it is.
>
> Mark
> ----------------------------------
>
> Thank you Mark for clarifying that SSLv3 is *not* supported (at all)
> in Tomcat 8.5+.  Wow, if only I had known that (via the Tomcat docs),
> I could have saved days of research and experimentation. :-(

SSLv3 will be available (not by default and using it will result in a warning in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the releases currently in progress but the next ones in around a month's time).

Mark

That is great news, thank you Mark!

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Problem enabling SSLv3 in Tomcat 8.5.15

Marc Dorsa
In reply to this post by markt


-----Original Message-----
From: Mark Thomas [mailto:[hidden email]]
Sent: Wednesday, June 21, 2017 2:31 PM
To: Tomcat Users List <[hidden email]>
Subject: Re: Problem enabling SSLv3 in Tomcat 8.5.15

On 21/06/17 19:04, Marc Dorsa wrote:

>> Hi Tomcat Users,
>>
>> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 3rd-party component of our product requires SSLv3 and there's no getting around it!)  Our Tomcat is running on a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131.  Note that I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled when running our existing Tomcat 7.0.47.  My guess is that I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig element to include "SSLv3" should do the job.
>>
>> Thank you in advance for any help offered!
>
> 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3.
>
> The docs need to be updated to reflect that. Also the migration guide.
>
> I've done some svn archaeology and this change was introduced during
> the refactoring that added support for SNI, ALPN and multiple certificates.
> Originally, the removal of SSLv2 and SSLv3 was only for the default
> protocols (as it currently is in 8.0.x and earlier). During the
> refactoring, the filtering effectively switched to applying to the
> supported protocols.
>
> A warning is logged during start-up that an unsupported protocol has
> been requested.
>
> Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM
> used also supports it.
>
> Given the inherent insecurities in SSLv3, I don't like the message
> re-enabling sends. On the other hand, it drives me mad when software
> blocks something because it thinks it knows best rather then letting
> me judge the risk and make the decision for myself.
>
> I'm therefore leaning towards allowing SSLv3 to be requested but
> logging a clear warning if it is.
>
> Mark
> ----------------------------------
>
> Thank you Mark for clarifying that SSLv3 is *not* supported (at all)
> in Tomcat 8.5+.  Wow, if only I had known that (via the Tomcat docs),
> I could have saved days of research and experimentation. :-(

SSLv3 will be available (not by default and using it will result in a warning in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the releases currently in progress but the next ones in around a month's time).

Mark
------------------------------

Hi Mark,

When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled?  (This feature is critical for our product and is needed ASAP.)

Thank you,
Marc

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem enabling SSLv3 in Tomcat 8.5.15

markt
<snip/>

> Hi Mark,
>
> When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled?  (This feature is critical for our product and is needed ASAP.)

Releases are typically monthly.

We've had a patch of regressions in releases which has delayed things
for the July release.

The August release vote passed yesterday and I expect to be making the
formal announcement later today.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Problem enabling SSLv3 in Tomcat 8.5.15

Marc Dorsa
> Hi Mark,
>
> When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled?  (This feature is critical for our product and is needed ASAP.)

Releases are typically monthly.

We've had a patch of regressions in releases which has delayed things
for the July release.

The August release vote passed yesterday and I expect to be making the
formal announcement later today.

Mark
----------------------------------

Thanks Mark,

FYI, I've tested and verified SSLv3 works in Tomcat 8.5.20.

I'm a happy camper. :)

Marc

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Loading...