From dev-return-193931-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Tue Oct 9 19:23:52 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 5ABD1180668 for ; Tue, 9 Oct 2018 19:23:51 +0200 (CEST) Received: (qmail 26666 invoked by uid 500); 9 Oct 2018 17:23:50 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 26656 invoked by uid 99); 9 Oct 2018 17:23:50 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Oct 2018 17:23:50 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 8E4C93A028E for ; Tue, 9 Oct 2018 17:23:49 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1843314 - in /tomcat/trunk: java/org/apache/tomcat/jni/ java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/jsse/ java/org/apache/tomcat/util/net/openssl/ webapps/docs/ webapps/docs/config/ Date: Tue, 09 Oct 2018 17:23:49 -0000 To: dev@tomcat.apache.org From: markt@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20181009172349.8E4C93A028E@svn01-us-west.apache.org> Author: markt Date: Tue Oct 9 17:23:48 2018 New Revision: 1843314 URL: http://svn.apache.org/viewvc?rev=1843314&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 Add TLS 1.3 support (CLIENT-CERT untested) Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java tomcat/trunk/webapps/docs/changelog.xml tomcat/trunk/webapps/docs/config/http.xml Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original) +++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Tue Oct 9 17:23:48 2018 @@ -73,7 +73,9 @@ public final class SSL { public static final int SSL_PROTOCOL_TLSV1 = (1<<2); public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3); public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4); - public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2); + public static final int SSL_PROTOCOL_TLSV1_3 = (1<<5); + public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | + SSL_PROTOCOL_TLSV1_2 | SSL_PROTOCOL_TLSV1_3); /* * Define the SSL verify levels Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java (original) +++ tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java Tue Oct 9 17:23:48 2018 @@ -41,6 +41,7 @@ public final class SSLContext { * {@link SSL#SSL_PROTOCOL_TLSV1} * {@link SSL#SSL_PROTOCOL_TLSV1_1} * {@link SSL#SSL_PROTOCOL_TLSV1_2} + * {@link SSL#SSL_PROTOCOL_TLSV1_3} * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL) * * @param mode SSL mode to use Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Oct 9 17:23:48 2018 @@ -439,6 +439,8 @@ public class AprEndpoint extends Abstrac value |= SSL.SSL_PROTOCOL_TLSV1_1; } else if (Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) { value |= SSL.SSL_PROTOCOL_TLSV1_2; + } else if (Constants.SSL_PROTO_TLSv1_3.equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_TLSV1_3; } else { // Should not happen since filtering to build // enabled protocols removes invalid values. Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue Oct 9 17:23:48 2018 @@ -35,7 +35,6 @@ import javax.net.ssl.TrustManagerFactory import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; -import org.apache.tomcat.util.compat.TLS; import org.apache.tomcat.util.net.openssl.OpenSSLConf; import org.apache.tomcat.util.net.openssl.ciphers.Cipher; import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser; @@ -62,9 +61,7 @@ public class SSLHostConfig implements Se SSL_PROTO_ALL_SET.add(Constants.SSL_PROTO_TLSv1); SSL_PROTO_ALL_SET.add(Constants.SSL_PROTO_TLSv1_1); SSL_PROTO_ALL_SET.add(Constants.SSL_PROTO_TLSv1_2); - if (TLS.isTlsv13Available()) { - SSL_PROTO_ALL_SET.add(Constants.SSL_PROTO_TLSv1_3); - } + SSL_PROTO_ALL_SET.add(Constants.SSL_PROTO_TLSv1_3); } private Type configType = null; @@ -85,6 +82,10 @@ public class SSLHostConfig implements Se private String[] enabledCiphers; private String[] enabledProtocols; private ObjectName oname; + // Need to know if TLS 1.3 has been explicitly requested as a warning needs + // to generated if it is explicitly requested for a JVM that does not + // support it. Uses a set so it is extensible for TLS 1.4 etc. + private Set explicitlyRequestedProtocols = new HashSet<>(); // Nested private SSLHostConfigCertificate defaultCertificate = null; private Set certificates = new HashSet<>(4); @@ -443,6 +444,7 @@ public class SSLHostConfig implements Se public void setProtocols(String input) { protocols.clear(); + explicitlyRequestedProtocols.clear(); // List of protocol names, separated by ",", "+" or "-". // Semantics is adding ("+") or removing ("-") from left @@ -465,6 +467,7 @@ public class SSLHostConfig implements Se protocols.addAll(SSL_PROTO_ALL_SET); } else { protocols.add(trimmed); + explicitlyRequestedProtocols.add(trimmed); } } else if (trimmed.charAt(0) == '-') { trimmed = trimmed.substring(1).trim(); @@ -472,6 +475,7 @@ public class SSLHostConfig implements Se protocols.removeAll(SSL_PROTO_ALL_SET); } else { protocols.remove(trimmed); + explicitlyRequestedProtocols.remove(trimmed); } } else { if (trimmed.charAt(0) == ',') { @@ -485,6 +489,7 @@ public class SSLHostConfig implements Se protocols.addAll(SSL_PROTO_ALL_SET); } else { protocols.add(trimmed); + explicitlyRequestedProtocols.add(trimmed); } } } @@ -497,6 +502,11 @@ public class SSLHostConfig implements Se } + boolean isExplicitlyRequestedProtocol(String protocol) { + return explicitlyRequestedProtocols.contains(protocol); + } + + // ---------------------------------- JSSE specific configuration properties // TODO: These certificate setters can be removed once it is no longer Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java Tue Oct 9 17:23:48 2018 @@ -48,14 +48,25 @@ public abstract class SSLUtilBase implem protected SSLUtilBase(SSLHostConfigCertificate certificate) { + this(certificate, true); + } + + + protected SSLUtilBase(SSLHostConfigCertificate certificate, boolean warnOnSkip) { this.certificate = certificate; SSLHostConfig sslHostConfig = certificate.getSSLHostConfig(); // Calculate the enabled protocols Set configuredProtocols = sslHostConfig.getProtocols(); + if (!isTls13Available() && + !sslHostConfig.isExplicitlyRequestedProtocol(Constants.SSL_PROTO_TLSv1_3)) { + // TLS 1.3 not implemented and not explicitly requested so ignore it + // if present + configuredProtocols.remove(Constants.SSL_PROTO_TLSv1_3); + } Set implementedProtocols = getImplementedProtocols(); List enabledProtocols = - getEnabled("protocols", getLog(), true, configuredProtocols, implementedProtocols); + getEnabled("protocols", getLog(), warnOnSkip, configuredProtocols, implementedProtocols); if (enabledProtocols.contains("SSLv3")) { log.warn(sm.getString("jsse.ssl3")); } @@ -197,4 +208,5 @@ public abstract class SSLUtilBase implem protected abstract Set getImplementedProtocols(); protected abstract Set getImplementedCiphers(); protected abstract Log getLog(); + protected abstract boolean isTls13Available(); } Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Tue Oct 9 17:23:48 2018 @@ -58,6 +58,7 @@ import javax.net.ssl.X509KeyManager; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.compat.JreVendor; +import org.apache.tomcat.util.compat.TLS; import org.apache.tomcat.util.file.ConfigFileLoader; import org.apache.tomcat.util.net.Constants; import org.apache.tomcat.util.net.SSLContext; @@ -141,7 +142,12 @@ public class JSSEUtil extends SSLUtilBas public JSSEUtil (SSLHostConfigCertificate certificate) { - super(certificate); + this(certificate, true); + } + + + public JSSEUtil (SSLHostConfigCertificate certificate, boolean warnOnSkip) { + super(certificate, warnOnSkip); this.sslHostConfig = certificate.getSSLHostConfig(); } @@ -164,6 +170,12 @@ public class JSSEUtil extends SSLUtilBas } + @Override + protected boolean isTls13Available() { + return TLS.isTlsv13Available(); + } + + @Override public SSLContext createSSLContext(List negotiableProtocols) throws NoSuchAlgorithmException { return new JSSESSLContext(sslHostConfig.getSslProtocol()); Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Tue Oct 9 17:23:48 2018 @@ -153,6 +153,8 @@ public class OpenSSLContext implements o value |= SSL.SSL_PROTOCOL_TLSV1_1; } else if (Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) { value |= SSL.SSL_PROTOCOL_TLSV1_2; + } else if (Constants.SSL_PROTO_TLSv1_3.equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_TLSV1_3; } else if (Constants.SSL_PROTO_ALL.equalsIgnoreCase(protocol)) { value |= SSL.SSL_PROTOCOL_ALL; } else { Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Tue Oct 9 17:23:48 2018 @@ -21,7 +21,6 @@ import java.nio.ReadOnlyBufferException; import java.security.Principal; import java.security.cert.Certificate; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; @@ -65,6 +64,8 @@ public final class OpenSSLEngine extends public static final Set AVAILABLE_CIPHER_SUITES; + public static final Set IMPLEMENTED_PROTOCOLS_SET; + static { final Set availableCipherSuites = new LinkedHashSet<>(128); final long aprPool = Pool.create(0); @@ -94,6 +95,19 @@ public final class OpenSSLEngine extends Pool.destroy(aprPool); } AVAILABLE_CIPHER_SUITES = Collections.unmodifiableSet(availableCipherSuites); + + HashSet protocols = new HashSet<>(); + protocols.add(Constants.SSL_PROTO_SSLv2Hello); + protocols.add(Constants.SSL_PROTO_SSLv2); + protocols.add(Constants.SSL_PROTO_SSLv3); + protocols.add(Constants.SSL_PROTO_TLSv1); + protocols.add(Constants.SSL_PROTO_TLSv1_1); + protocols.add(Constants.SSL_PROTO_TLSv1_2); + if (SSL.version() >= 0x1010100f) { + protocols.add(Constants.SSL_PROTO_TLSv1_3); + } + + IMPLEMENTED_PROTOCOLS_SET = Collections.unmodifiableSet(protocols); } private static final int MAX_PLAINTEXT_LENGTH = 16 * 1024; // 2^14 @@ -103,17 +117,6 @@ public final class OpenSSLEngine extends // Protocols static final int VERIFY_DEPTH = 10; - private static final String[] IMPLEMENTED_PROTOCOLS = { - Constants.SSL_PROTO_SSLv2Hello, - Constants.SSL_PROTO_SSLv2, - Constants.SSL_PROTO_SSLv3, - Constants.SSL_PROTO_TLSv1, - Constants.SSL_PROTO_TLSv1_1, - Constants.SSL_PROTO_TLSv1_2 - }; - public static final Set IMPLEMENTED_PROTOCOLS_SET = - Collections.unmodifiableSet(new HashSet<>(Arrays.asList(IMPLEMENTED_PROTOCOLS))); - // Header (5) + Data (2^14) + Compression (1024) + Encryption (1024) + MAC (20) + Padding (256) static final int MAX_ENCRYPTED_PACKET_LENGTH = MAX_CIPHERTEXT_LENGTH + 5 + 20 + 256; @@ -760,7 +763,7 @@ public final class OpenSSLEngine extends @Override public String[] getSupportedProtocols() { - return IMPLEMENTED_PROTOCOLS.clone(); + return IMPLEMENTED_PROTOCOLS_SET.toArray(new String[IMPLEMENTED_PROTOCOLS_SET.size()]); } @Override Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java Tue Oct 9 17:23:48 2018 @@ -25,6 +25,7 @@ import javax.net.ssl.TrustManager; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; +import org.apache.tomcat.jni.SSL; import org.apache.tomcat.util.net.SSLContext; import org.apache.tomcat.util.net.SSLHostConfig; import org.apache.tomcat.util.net.SSLHostConfigCertificate; @@ -42,7 +43,8 @@ public class OpenSSLUtil extends SSLUtil if (certificate.getCertificateFile() == null) { // Using JSSE configuration for keystore and truststore - jsseUtil = new JSSEUtil(certificate); + // Missing protocols not a concern so don't warn on skip + jsseUtil = new JSSEUtil(certificate, false); } else { // Use OpenSSL configuration for certificates jsseUtil = null; @@ -68,6 +70,12 @@ public class OpenSSLUtil extends SSLUtil } + @Override + protected boolean isTls13Available() { + return SSL.version() >= 0x1010100f; + } + + @Override public SSLContext createSSLContext(List negotiableProtocols) throws Exception { return new OpenSSLContext(certificate, negotiableProtocols); Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Tue Oct 9 17:23:48 2018 @@ -118,6 +118,10 @@ Such requests are unusual but not invalid. Patch provided by Michael Orr. (markt) + + 62748: Add TLS 1.3 support for the Tomcat Native connector. + (schultz/markt) + 62791: Remove an unnecessary check in the NIO TLS implementation that prevented from secure WebSocket connections from Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1843314&r1=1843313&r2=1843314&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Tue Oct 9 17:23:48 2018 @@ -1294,8 +1294,8 @@ an empty list.

The token all is an alias for SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.

-

Note that TLSv1.3 is only supported for JSSE and JVMs - that implement TLSv1.3.

+

Note that TLSv1.3 is only supported for JSSE when using a + JVM that implements TLSv1.3.

Note that SSLv2Hello will be ignored for OpenSSL based secure connectors. If more than one protocol is specified for an OpenSSL based secure connector it will always support SSLv2Hello. If a --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org