Author: markt
Date: Mon Apr 4 21:41:32 2016
New Revision: 1737749
URL: http://svn.apache.org/viewvc?rev=1737749&view=rev
Log:
With a minimum version of OpenSSL 1.0.2, these features are always available.
Modified:
tomcat/tc8.5.x/trunk/ (props changed)
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Apr 4 21:41:32 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748
Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1737749&r1=1737748&r2=1737749&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Mon
Apr 4 21:41:32 2016
@@ -417,83 +417,32 @@ public class AprEndpoint extends Abstrac
sm.getString("endpoint.apr.failSslContextMake"),
e);
}
- boolean legacyRenegSupported = false;
- try {
- legacyRenegSupported =
SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- if (legacyRenegSupported)
- if (sslHostConfig.getInsecureRenegotiation()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- } else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!legacyRenegSupported) {
- // OpenSSL does not support unsafe legacy renegotiation.
- log.warn(sm.getString("endpoint.warn.noInsecureReneg",
- SSL.versionString()));
+ if (sslHostConfig.getInsecureRenegotiation()) {
+ SSLContext.setOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
}
// Use server's preference order for ciphers (rather than
// client's)
- boolean orderCiphersSupported = false;
- try {
- orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- if (orderCiphersSupported) {
- if (sslHostConfig.getHonorCipherOrder()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- } else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- }
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!orderCiphersSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
- SSL.versionString()));
+ if (sslHostConfig.getHonorCipherOrder()) {
+ SSLContext.setOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
}
// Disable compression if requested
- boolean disableCompressionSupported = false;
- try {
- disableCompressionSupported =
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
- if (disableCompressionSupported) {
- if (sslHostConfig.getDisableCompression()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_NO_COMPRESSION);
- } else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_NO_COMPRESSION);
- }
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableCompressionSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(sm.getString("endpoint.warn.noDisableCompression",
- SSL.versionString()));
+ if (sslHostConfig.getDisableCompression()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
}
// Disable TLS Session Tickets (RFC4507) to protect perfect
forward secrecy
- boolean disableSessionTicketsSupported = false;
- try {
- disableSessionTicketsSupported =
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
- if (disableSessionTicketsSupported) {
- if (sslHostConfig.getDisableSessionTickets()) {
- SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
- } else {
- SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
- }
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableSessionTicketsSupported) {
- // OpenSSL is too old to support TLS Session Tickets.
-
log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
- SSL.versionString()));
+ if (sslHostConfig.getDisableSessionTickets()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
}
// List the ciphers that the client is permitted to negotiate
Modified:
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1737749&r1=1737748&r2=1737749&view=diff
==============================================================================
---
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
(original)
+++
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
Mon Apr 4 21:41:32 2016
@@ -18,10 +18,6 @@ endpoint.err.close=Caught exception tryi
endpoint.err.handshake=Handshake failed
endpoint.err.unexpected=Unexpected error processing socket
endpoint.warn.noExector=Failed to process socket [{0}] in state [{1}] because
the executor had already been shutdown
-endpoint.warn.noDisableCompression='Disable compression' option is not
supported by the SSL library {0}
-endpoint.warn.noDisableSessionTickets='Disable TLS Session Tickets' option is
not supported by the SSL library {0}
-endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported
by the SSL library {0}
-endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the
SSL library {0}
endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock.
Forcing hard socket shutdown.
endpoint.warn.executorShutdown=The executor associated with thread pool [{0}]
has not fully shutdown. Some application threads may still be running.
endpoint.warn.noRemoteAddr=Unable to determine remote address for socket [{0}]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
