Return-Path: 
 <dev-return-134858-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-dev-archive@www.apache.org
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id CFCD3ED57
	for <apmail-tomcat-dev-archive@www.apache.org>;
 Thu, 17 Jan 2013 20:42:06 +0000 (UTC)
Received: (qmail 5003 invoked by uid 500); 17 Jan 2013 20:42:06 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 4923 invoked by uid 500); 17 Jan 2013 20:42:05 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 4913 invoked by uid 99); 17 Jan 2013 20:42:05 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Jan 2013 20:42:05 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Jan 2013 20:42:04 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id 361C82388A3D
	for <dev@tomcat.apache.org>; Thu, 17 Jan 2013 20:41:45 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: svn commit: r1434907 - in /tomcat/tc6.0.x/trunk: ./
 java/org/apache/coyote/http11/ java/org/apache/tomcat/jni/
 java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/res/
 webapps/docs/
Date: Thu, 17 Jan 2013 20:41:44 -0000
To: dev@tomcat.apache.org
From: schultz@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20130117204145.361C82388A3D@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: schultz
Date: Thu Jan 17 20:41:44 2013
New Revision: 1434907

URL: http://svn.apache.org/viewvc?rev=1434907&view=rev
Log:
Back-ported fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=53481

Enable SSLHonorCipherOrder for APR connector.


Modified:
    tomcat/tc6.0.x/trunk/   (props changed)
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
    tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1371283
  Merged /tomcat/tc7.0.x/trunk:r1371298,1371302,1371620

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Jan 17 20:41:44 2013
@@ -56,17 +56,6 @@ PATCHES PROPOSED TO BACKPORT:
   +1: kkolinko, schultz
   -1:
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
-  Add support for SSLHonorCipherOrder
-  http://svn.apache.org/viewvc?view=revision&revision=1371298
-  http://svn.apache.org/viewvc?view=revision&revision=1371302 (rolls-back inadvertent addition of TOMCAT-NEXT.txt)
-  http://svn.apache.org/viewvc?view=revision&revision=1371620 (tab -> spaces)
-  +1: schultz, kkolinko, jfclere
-  -1:
-     -- Note that a bug has been found in the feature to backport which
-        requires an update to tcnative:
-        https://issues.apache.org/bugzilla/show_bug.cgi?id=53969
-
 * Chunked encoding improvements
   http://people.apache.org/~markt/patches/2012-10-19-chunked-encoding-tc6.patch
   +1: markt, kkolinko

Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu Jan 17 20:41:44 2013
@@ -416,6 +416,17 @@ public class Http11AprProtocol extends A
 
 
     /**
+     * SSL honor cipher order.
+	 *
+     * Set to <code>true</code> to enforce the <i>server's</i> cipher order
+     * instead of the default which is to allow the client to choose a
+     * preferred cipher.
+     */
+    public boolean getSSLHonorCipherOrder() { return ((AprEndpoint)endpoint).getSSLHonorCipherOrder(); }
+    public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) { ((AprEndpoint)endpoint).setSSLHonorCipherOrder(SSLHonorCipherOrder); }
+
+
+    /**
      * SSL certificate file.
      */
     public String getSSLCertificateFile() { return endpoint.getSSLCertificateFile(); }

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Thu Jan 17 20:41:44 2013
@@ -332,4 +332,13 @@ public final class SSL {
      * Return last SSL error string
      */
     public static native String getLastError();
+
+    /**
+     * Return true if all the requested SSL_OP_* are supported by OpenSSL.
+     *
+     * @param Bitwise-OR of all SSL_OP_* to test.
+     * 
+     * @return true if all SSL_OP_* are supported by OpenSSL library.
+     */
+    public static native boolean hasOp(int op);
 }

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Jan 17 20:41:44 2013
@@ -519,6 +519,14 @@ public class AprEndpoint extends Abstrac
 
     // --------------------------------------------------------- Public Methods
 
+    protected boolean SSLHonorCipherOrder = false;
+    /**
+     * Set to <code>true</code> to enforce the <i>server's</i> cipher order
+     * instead of the default which is to allow the client to choose a
+     * preferred cipher.
+     */
+    public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) { this.SSLHonorCipherOrder = SSLHonorCipherOrder; }
+    public boolean getSSLHonorCipherOrder() { return SSLHonorCipherOrder; }
 
     /**
      * Number of keepalive sockets.
@@ -755,6 +763,24 @@ public class AprEndpoint extends Abstrac
 
             // Create SSL Context
             sslContext = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
+
+            // Set cipher order: client (default) or server
+            if (SSLHonorCipherOrder) {
+                boolean orderCiphersSupported = false;
+                try {
+                    orderCiphersSupported = SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+                    if (orderCiphersSupported)
+                        SSLContext.setOptions(sslContext, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+                } catch (UnsatisfiedLinkError e) {
+                    // Ignore
+                }
+                if (!orderCiphersSupported) {
+                    // OpenSSL does not support ciphers ordering.
+                    log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
+                                          SSL.versionString()));
+                }
+            }
+
             // List the ciphers that the client is permitted to negotiate
             SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
             // Load Server key and certificate

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties Thu Jan 17 20:41:44 2013
@@ -40,5 +40,11 @@ endpoint.process.fail=Error allocating s
 endpoint.sendfile.error=Unexpected sendfile error
 endpoint.sendfile.addfail=Sednfile failure: [{0}] {1}
 endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version or the system doesn't support it
+endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the SSL library {0}
+endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported by the SSL library {0}
 endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock. Forcing hard socket shutdown.
+endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported by the SSL library {0}
+endpoint.debug.channelCloseFail=Failed to close channel
+endpoint.debug.socketCloseFail=Failed to close socket
+endpoint.apr.noSslCertFile=Connector attribute SSLCertificateFile must be defined when using SSL with APR
 endpoint.apr.invalidSslProtocol=An invalid value [{0}] was provided for the SSLProtocol attribute

Modified: tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/apr.xml?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/apr.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/apr.xml Thu Jan 17 20:41:44 2013
@@ -271,6 +271,11 @@
       and private key have to be in this file (NOT RECOMMENDED).
     </p>
     </attribute>
+    <attribute name="SSLHonorCipherOrder" required="false">
+      <p>Set to <code>true</code> to enforce the server's cipher order
+      (from the <code>SSLCipherSuite</code> setting) instead of allowing
+      the client to choose the cipher (which is the default).</p>
+    </attribute>
     <attribute name="SSLPassword" required="false">
     <p>
       Pass phrase for the encrypted private key. If "SSLPassword" is not provided, the callback function

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Jan 17 20:41:44 2013
@@ -46,6 +46,11 @@
 <section name="Tomcat 6.0.37 (jfclere)">
   <subsection name="Catalina">
     <changelog>
+       <fix>
+         <bug>53481</bug>: Added support for SSLHonorCipherOrder to allow
+         the server to impose its cipher order on the client. Based on a patch
+         provided by Marcel Å ebek. (schultz)
+      </fix>
       <fix>
         In FormAuthenticator: If it is configured to change Session IDs,
         do the change before displaying the login form. (kkolinko)



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org