Author: markt
Date: Mon Apr 4 21:40:38 2016
New Revision: 1737748
URL: http://svn.apache.org/viewvc?rev=1737748&view=rev
Log:
With a minimum version of OpenSSL 1.0.2, these features are always available.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1737748&r1=1737747&r2=1737748&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Mon Apr 4
21:40:38 2016
@@ -417,83 +417,32 @@ public class AprEndpoint extends Abstrac
sm.getString("endpoint.apr.failSslContextMake"),
e);
}
- boolean legacyRenegSupported = false;
- try {
- legacyRenegSupported =
SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- if (legacyRenegSupported)
- if (sslHostConfig.getInsecureRenegotiation()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- } else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!legacyRenegSupported) {
- // OpenSSL does not support unsafe legacy renegotiation.
- log.warn(sm.getString("endpoint.warn.noInsecureReneg",
- SSL.versionString()));
+ if (sslHostConfig.getInsecureRenegotiation()) {
+ SSLContext.setOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
}
// Use server's preference order for ciphers (rather than
// client's)
- boolean orderCiphersSupported = false;
- try {
- orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- if (orderCiphersSupported) {
- if (sslHostConfig.getHonorCipherOrder()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- } else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- }
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!orderCiphersSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
- SSL.versionString()));
+ if (sslHostConfig.getHonorCipherOrder()) {
+ SSLContext.setOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
}
// Disable compression if requested
- boolean disableCompressionSupported = false;
- try {
- disableCompressionSupported =
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
- if (disableCompressionSupported) {
- if (sslHostConfig.getDisableCompression()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_NO_COMPRESSION);
- } else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_NO_COMPRESSION);
- }
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableCompressionSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(sm.getString("endpoint.warn.noDisableCompression",
- SSL.versionString()));
+ if (sslHostConfig.getDisableCompression()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
}
// Disable TLS Session Tickets (RFC4507) to protect perfect
forward secrecy
- boolean disableSessionTicketsSupported = false;
- try {
- disableSessionTicketsSupported =
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
- if (disableSessionTicketsSupported) {
- if (sslHostConfig.getDisableSessionTickets()) {
- SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
- } else {
- SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
- }
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableSessionTicketsSupported) {
- // OpenSSL is too old to support TLS Session Tickets.
-
log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
- SSL.versionString()));
+ if (sslHostConfig.getDisableSessionTickets()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
}
// List the ciphers that the client is permitted to negotiate
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1737748&r1=1737747&r2=1737748&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Mon
Apr 4 21:40:38 2016
@@ -18,10 +18,6 @@ endpoint.err.close=Caught exception tryi
endpoint.err.handshake=Handshake failed
endpoint.err.unexpected=Unexpected error processing socket
endpoint.warn.noExector=Failed to process socket [{0}] in state [{1}] because
the executor had already been shutdown
-endpoint.warn.noDisableCompression='Disable compression' option is not
supported by the SSL library {0}
-endpoint.warn.noDisableSessionTickets='Disable TLS Session Tickets' option is
not supported by the SSL library {0}
-endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported
by the SSL library {0}
-endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the
SSL library {0}
endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock.
Forcing hard socket shutdown.
endpoint.warn.executorShutdown=The executor associated with thread pool [{0}]
has not fully shutdown. Some application threads may still be running.
endpoint.warn.noRemoteAddr=Unable to determine remote address for socket [{0}]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
