tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject svn commit: r917928 - in /tomcat/trunk: java/org/apache/tomcat/jni/SSL.java java/org/apache/tomcat/util/net/AprEndpoint.java java/org/apache/tomcat/util/net/res/LocalStrings.properties webapps/docs/changelog.xml
Date Tue, 02 Mar 2010 09:14:46 GMT
Author: mturk
Date: Tue Mar  2 09:14:44 2010
New Revision: 917928

URL: http://svn.apache.org/viewvc?rev=917928&view=rev
Log:
Port SSLInsecureRenegotiation from mod_ssl

Modified:
    tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=917928&r1=917927&r2=917928&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Tue Mar  2 09:14:44 2010
@@ -113,9 +113,12 @@
     /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
      *             This used to be 0x000FFFFFL before 0.9.7. */
     public static final int SSL_OP_ALL                              = 0x00000FFF;
-
     /* As server, disallow session resumption on renegotiation */
     public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00010000;
+    /* Permit unsafe legacy renegotiation */
+    public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      = 0x00040000;
+    /* If set, always create a new key when using tmp_eddh parameters */
+    public static final int SSL_OP_SINGLE_ECDH_USE                  = 0x00080000;
     /* If set, always create a new key when using tmp_dh parameters */
     public static final int SSL_OP_SINGLE_DH_USE                    = 0x00100000;
     /* Set to always use the tmp_rsa key when doing RSA operations,
@@ -325,4 +328,17 @@
      * Return last SSL error string
      */
     public static native String getLastError();
+
+    /**
+     * Return true if SSL_OP_ if defined.
+     * <p>
+     * Currently used for testing weather the
+     * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is supported by OpenSSL.
+     * <p>
+     * @param op SSL_OP to test.
+     * @return true if SSL_OP is supported by OpenSSL library.
+     */
+    public static native boolean hasOp(int op);
+
 }
+

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=917928&r1=917927&r2=917928&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Mar  2 09:14:44 2010
@@ -309,6 +309,14 @@
     public void setSSLVerifyDepth(int SSLVerifyDepth) { this.SSLVerifyDepth = SSLVerifyDepth;
}
 
 
+    /**
+     * SSL allow insecure renegotiation for the the client that does not
+     * support the secure renegotiation.
+     */
+    protected boolean SSLInsecureRenegotiation = false;
+    public void seSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation) { this.SSLInsecureRenegotiation
= SSLInsecureRenegotiation; }
+    public boolean getSSLInsecureRenegotiation() { return SSLInsecureRenegotiation; }
+
     // --------------------------------------------------------- Public Methods
 
 
@@ -460,6 +468,15 @@
             }
             // Create SSL Context
             sslContext = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
+            if (SSLInsecureRenegotiation) {
+                if (SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                    SSLContext.setOptions(sslContext, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+                else {
+                    // OpenSSL does not support unsafe legacy renegotiation.
+                    log.warn(sm.getString("endpoint.warn.noInsecureReneg",
+                                          SSL.versionString()));
+                }
+            }
             // List the ciphers that the client is permitted to negotiate
             SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
             // Load Server key and certificate

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=917928&r1=917927&r2=917928&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties Tue Mar  2 09:14:44
2010
@@ -39,3 +39,4 @@
 endpoint.sendfile.error=Unexpected sendfile error
 endpoint.sendfile.addfail=Sednfile failure: [{0}] {1}
 endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version or the system
doesn't support it
+endpoint.warn.noInsecureReneg=Secure renegotation is not supported by the SSL library {0}

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=917928&r1=917927&r2=917928&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Mar  2 09:14:44 2010
@@ -114,6 +114,11 @@
   <subsection name="Coyote">
     <changelog>
       <update>
+        Port SSLInsecureRenegotiation from mod_ssl. This requires
+        to use tomcat-native 1.2.21 that have option to detect this
+        support from OpenSSL library. (mturk)
+      </update>
+      <update>
         Allow bigger AJP packets also for request bodies and responses
         using the packetSize attribute of the Connector. (rjung)
       </update>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message