tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: svn commit: r1712457 - in /tomcat/native/trunk/native/src: ssl.c sslnetwork.c sslutils.c
Date Wed, 04 Nov 2015 16:35:26 GMT
2015-11-04 5:25 GMT+03:00  <billbarker@apache.org>:
> Author: billbarker
> Date: Wed Nov  4 02:25:05 2015
> New Revision: 1712457
>
> URL: http://svn.apache.org/viewvc?rev=1712457&view=rev
> Log:
> Forward port r1712199 align with OpenSSL master. Just deleted the SSLeay check since
any OS I know will raise an UnsatifiedLinkError if you try to load this with such an old version
when 1.0.2x is required. Otherwise no change if compiling against 1.0.2x
>
> Modified:
>     tomcat/native/trunk/native/src/ssl.c
>     tomcat/native/trunk/native/src/sslnetwork.c
>     tomcat/native/trunk/native/src/sslutils.c
>

> Modified: tomcat/native/trunk/native/src/sslnetwork.c
> URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=1712457&r1=1712456&r2=1712457&view=diff
> ==============================================================================
> --- tomcat/native/trunk/native/src/sslnetwork.c (original)
> +++ tomcat/native/trunk/native/src/sslnetwork.c Wed Nov  4 02:25:05 2015
> @@ -650,6 +650,7 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene
>  #endif
>          return APR_EGENERAL;
>      }
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
>      SSL_set_state(con->ssl, SSL_ST_ACCEPT);
>
>      apr_socket_timeout_get(con->sock, &timeout);
> @@ -669,14 +670,11 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene
>              break;
>      }
>      con->reneg_state = RENEG_REJECT;
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +
>      if (SSL_get_state(con->ssl) != SSL_ST_OK) {
> -#else
> -    if (SSL_get_state(con->ssl) != TLS_ST_OK) {
> -#endif
>          return APR_EGENERAL;
>      }
> -
> +#endif
>      return APR_SUCCESS;
>  }


Regarding the above change in SSLSocket.renegotiate()
TCN_IMPLEMENT_CALL(jint, SSLSocket, renegotiate)(TCN_STDARGS,
                                                 jlong sock)

As a comment there says,

    /* Sequence to renegotiate is
     *  SSL_renegotiate()
     *  SSL_do_handshake()
     *  ssl->state = SSL_ST_ACCEPT
     *  SSL_do_handshake()
     */

The change is that the second handshake attempt (starting with
ssl->state) is removed on OpenSSL 1.1+.

Can it be removed completely -- on the old library as well?  I think
that the first SSL_do_handshake() shall be enough.

Actually we do not have tests for renegotiation, as
org.apache.tomcat.util.net.TesterSupport does

    protected static boolean isRenegotiationSupported(Tomcat tomcat) {
        String protocol = tomcat.getConnector().getProtocolHandlerClassName();
        if (protocol.contains("Apr")) {
            // Disabled by default in 1.1.20 windows binary (2010-07-27)
            return false;
        }
        if (protocol.contains("NioProtocol") ||
(protocol.contains("Nio2Protocol") && isMacOs())) {
            // Doesn't work on all platforms - see BZ 56448.
            return false;
        }

        return true;
    }


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message