tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From schu...@apache.org
Subject svn commit: r1434887 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/coyote/http11/ java/org/apache/tomcat/jni/ java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/res/ webapps/docs/ webapps/docs/config/
Date Thu, 17 Jan 2013 20:13:27 GMT
Author: schultz
Date: Thu Jan 17 20:13:27 2013
New Revision: 1434887

URL: http://svn.apache.org/viewvc?rev=1434887&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54324

Allow APR connector to disable TLS compression if OpenSSL supports it.


Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
    tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
    tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1434882

Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu Jan 17 20:13:27
2013
@@ -191,6 +191,12 @@ public class Http11AprProtocol extends A
     public int getSSLVerifyDepth() { return ((AprEndpoint)endpoint).getSSLVerifyDepth();
}
     public void setSSLVerifyDepth(int SSLVerifyDepth) { ((AprEndpoint)endpoint).setSSLVerifyDepth(SSLVerifyDepth);
}
     
+    /**
+     * Disable SSL compression.
+     */
+    public boolean getSSLDisableCompression() { return ((AprEndpoint)endpoint).getSSLDisableCompression();
}
+    public void setSSLDisableCompression(boolean disable) { ((AprEndpoint)endpoint).setSSLDisableCompression(disable);
}
+
     // ----------------------------------------------------- JMX related methods
 
     @Override

Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Thu Jan 17 20:13:27 2013
@@ -115,6 +115,8 @@ public final class SSL {
     public static final int SSL_OP_ALL                              = 0x00000FFF;
     /* As server, disallow session resumption on renegotiation */
     public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00010000;
+    /* Don't use compression even if supported */
+    public static final int SSL_OP_NO_COMPRESSION                         = 0x00020000;
     /* Permit unsafe legacy renegotiation */
     public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      = 0x00040000;
     /* If set, always create a new key when using tmp_eddh parameters */
@@ -339,15 +341,16 @@ public final class SSL {
     public static native String getLastError();
 
     /**
-     * Return true if SSL_OP_ if defined.
-     * <p>
-     * Currently used for testing weather the
-     * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is supported by OpenSSL.
-     * <p>
-     * @param op SSL_OP to test.
-     * @return true if SSL_OP is supported by OpenSSL library.
+     * Return true if all the requested SSL_OP_* are supported by OpenSSL.
+     * 
+     * <i>Note that for versions of tcnative &lt; 1.1.25, this method will
+     * return <code>true</code> if and only if <code>op</code>=
+     * {@link #SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION} and tcnative
+     * supports that flag.</i>
+     *
+     * @param Bitwise-OR of all SSL_OP_* to test.
+     * 
+     * @return true if all SSL_OP_* are supported by OpenSSL library.
      */
     public static native boolean hasOp(int op);
-
 }
-

Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Jan 17 20:13:27
2013
@@ -327,6 +327,19 @@ public class AprEndpoint extends Abstrac
     public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) { this.SSLHonorCipherOrder
= SSLHonorCipherOrder; }
     public boolean getSSLHonorCipherOrder() { return SSLHonorCipherOrder; }
 
+    /**
+     * Disables compression of the SSL stream. This thwarts CRIME attack
+     * and possibly improves performance by not compressing uncompressible
+     * content such as JPEG, etc.
+     */
+    protected boolean SSLDisableCompression = false;
+
+    /**
+     * Set to <code>true</code> to disable SSL compression. This thwarts CRIME
+     * attack.
+     */
+    public void setSSLDisableCompression(boolean SSLDisableCompression) { this.SSLDisableCompression
= SSLDisableCompression; }
+    public boolean getSSLDisableCompression() { return SSLDisableCompression; }
 
     /**
      * Port in use.
@@ -554,6 +567,23 @@ public class AprEndpoint extends Abstrac
                 }
             }
 
+            // Disable compression if requested
+            if (SSLDisableCompression) {
+                boolean disableCompressionSupported = false;
+                try {
+                    disableCompressionSupported = SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
+                    if (disableCompressionSupported)
+                        SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_COMPRESSION);
+                } catch (UnsatisfiedLinkError e) {
+                    // Ignore
+                }
+                if (!disableCompressionSupported) {
+                    // OpenSSL does not support ciphers ordering.
+                    log.warn(sm.getString("endpoint.warn.noDisableCompression",
+                                          SSL.versionString()));
+                }
+            }
+
             // List the ciphers that the client is permitted to negotiate
             SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
             // Load Server key and certificate

Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties Thu Jan
17 20:13:27 2013
@@ -41,6 +41,8 @@ endpoint.process.fail=Error allocating s
 endpoint.sendfile.error=Unexpected sendfile error
 endpoint.sendfile.addfail=Sendfile failure: [{0}] {1}
 endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version or the system
doesn't support it
+endpoint.warn.noDisableCompression='Disable compression' option is not supported
+ by the SSL library {0}
 endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the SSL library {0}
 endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported by the SSL
library {0}
 endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock. Forcing hard socket
shutdown.

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jan 17 20:13:27 2013
@@ -57,6 +57,10 @@
   <subsection name="Coyote">
     <changelog>
       <fix>
+        <bug>54324</bug>: Allow APR connector to disable TLS compression
+        if OpenSSL supports it. (schultz)
+      </fix>
+      <fix>
         <bug>54406</bug>: Fix NIO HTTPS connector to prune specified <code>
         ciphers</code> and <code>sslEnableProtocols</code> options to those
         supported by the SSL implementation, sharing logic with the BIO

Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Thu Jan 17 20:13:27 2013
@@ -1201,6 +1201,12 @@
       supported).</p>
     </attribute>
 
+    <attribute name="SSLDisableCompression" required="false">
+      <p>Disables compression if set to <code>true</code> and OpenSSL supports
+      disabling comprssion. Default is <code>false</code> which inherits the
+      default compression setting in OpenSSL.</p>
+    </attribute>
+
     <attribute name="SSLHonorCipherOrder" required="false">
       <p>Set to <code>true</code> to enforce the server's cipher order
       (from the <code>SSLCipherSuite</code> setting) instead of allowing



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message