Author: rjung Date: Sun Mar 20 10:44:21 2016 New Revision: 1735861 URL: http://svn.apache.org/viewvc?rev=1735861&view=rev Log: Use new OpenSSL 1.1.0 protocol version max and min API when creating a new SSL context.
Modified: tomcat/native/trunk/native/src/sslcontext.c tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Modified: tomcat/native/trunk/native/src/sslcontext.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1735861&r1=1735860&r2=1735861&view=diff ============================================================================== --- tomcat/native/trunk/native/src/sslcontext.c (original) +++ tomcat/native/trunk/native/src/sslcontext.c Sun Mar 20 10:44:21 2016 @@ -139,6 +139,9 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma tcn_ssl_ctxt_t *c = NULL; SSL_CTX *ctx = NULL; jclass clazz; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + jint prot; +#endif UNREFERENCED(o); if (protocol == SSL_PROTOCOL_NONE) { @@ -146,6 +149,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma goto init_failed; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (protocol == SSL_PROTOCOL_TLSV1_2) { #ifdef HAVE_TLSV1_2 if (mode == SSL_MODE_CLIENT) @@ -189,13 +193,16 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma /* requested but not supported */ #endif } else { +#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ if (mode == SSL_MODE_CLIENT) ctx = SSL_CTX_new(TLS_client_method()); else if (mode == SSL_MODE_SERVER) ctx = SSL_CTX_new(TLS_server_method()); else ctx = SSL_CTX_new(TLS_method()); +#if OPENSSL_VERSION_NUMBER < 0x10100000L } +#endif if (!ctx) { char err[256]; @@ -216,6 +223,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma if (c->bio_os != NULL) BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT); SSL_CTX_set_options(c->ctx, SSL_OP_ALL); + +#if OPENSSL_VERSION_NUMBER < 0x10100000L /* always disable SSLv2, as per RFC 6176 */ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); if (!(protocol & SSL_PROTOCOL_SSLV3)) @@ -230,6 +239,38 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma if (!(protocol & SSL_PROTOCOL_TLSV1_2)) SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2); #endif + +#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ + /* We first determine the maximum protocol version we should provide */ + if (protocol & SSL_PROTOCOL_TLSV1_2) { + prot = TLS1_2_VERSION; + } else if (protocol & SSL_PROTOCOL_TLSV1_1) { + prot = TLS1_1_VERSION; + } else if (protocol & SSL_PROTOCOL_TLSV1) { + prot = TLS1_VERSION; + } else if (protocol & SSL_PROTOCOL_SSLV3) { + prot = SSL3_VERSION; + } else { + SSL_CTX_free(ctx); + tcn_Throw(e, "Invalid Server SSL Protocol (%d)", protocol); + goto init_failed; + } + SSL_CTX_set_max_proto_version(ctx, prot); + + /* Next we scan for the minimal protocol version we should provide, + * but we do not allow holes between max and min */ + if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { + prot = TLS1_1_VERSION; + } + if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { + prot = TLS1_VERSION; + } + if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { + prot = SSL3_VERSION; + } + SSL_CTX_set_min_proto_version(ctx, prot); +#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ + /* * Configure additional context ingredients */ Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1735861&r1=1735860&r2=1735861&view=diff ============================================================================== --- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original) +++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Sun Mar 20 10:44:21 2016 @@ -37,6 +37,10 @@ <section name="Changes in 1.2.6"> <changelog> <update> + Use new OpenSSL 1.1.0 protocol version max and min API + when creating a new SSL context. (rjung) + </update> + <update> Improve renegotiation code and make it compatible with OpenSSL 1.1.0. (rjung) </update> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org