Author: markt
Date: Wed Jun 21 21:20:01 2017
New Revision: 1799515
URL: http://svn.apache.org/viewvc?rev=1799515&view=rev
Log:
Enable SSLv3 to be used. NOT enabled by default.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1799515&r1=1799514&r2=1799515&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Wed
Jun 21 21:20:01 2017
@@ -109,6 +109,7 @@ channel.nio.ssl.sniHostName=The SNI host
jsse.invalid_truststore_password=The provided trust store password could not
be used to unlock and/or validate the trust store. Retrying to access the trust
store with a null password which will skip validation.
jsse.keystore_load_failed=Failed to load keystore type [{0}] with path [{1}]
due to [{2}]
+jsse.ssl3=SSLv3 has been explicitly enabled. This protocol is known to be
insecure.
sniExtractor.clientHelloTooBig=The ClientHello was not presented in a single
TLS record so no SNI information could be extracted
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java?rev=1799515&r1=1799514&r2=1799515&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java Wed Jun 21
21:20:01 2017
@@ -53,6 +53,9 @@ public abstract class SSLUtilBase implem
Set<String> implementedProtocols = getImplementedProtocols();
List<String> enabledProtocols =
getEnabled("protocols", getLog(), true, configuredProtocols,
implementedProtocols);
+ if (enabledProtocols.contains("SSLv3")) {
+ log.warn(sm.getString("jsse.ssl3"));
+ }
this.enabledProtocols = enabledProtocols.toArray(new
String[enabledProtocols.size()]);
// Calculate the enabled ciphers
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1799515&r1=1799514&r2=1799515&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Wed Jun 21
21:20:01 2017
@@ -96,13 +96,14 @@ public class JSSEUtil extends SSLUtilBas
String[] implementedProtocolsArray =
context.getSupportedSSLParameters().getProtocols();
implementedProtocols = new HashSet<>(implementedProtocolsArray.length);
- // Filter out all the SSL protocols (SSLv2 and SSLv3) from the list of
- // implemented protocols since they are no longer considered secure but
- // allow SSLv2Hello. This has the effect of making it impossible to use
- // SSLv2 or SSLv3 without source code changes.
+ // Filter out SSLv2 from the list of implemented protocols (just in
case
+ // we are running on a JVM that supports it) since it is no longer
+ // considered secure but allow SSLv2Hello.
+ // Note SSLv3 is allowed despite known insecurities because some users
+ // still have a requirement for it.
for (String protocol : implementedProtocolsArray) {
String protocolUpper = protocol.toUpperCase(Locale.ENGLISH);
- if (!"SSLV2HELLO".equals(protocolUpper)) {
+ if (!"SSLV2HELLO".equals(protocolUpper) &&
!"SSLV3".equals(protocolUpper)) {
if (protocolUpper.contains("SSL")) {
log.debug(sm.getString("jsse.excludeProtocol", protocol));
continue;
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1799515&r1=1799514&r2=1799515&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Jun 21 21:20:01 2017
@@ -45,6 +45,15 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.0.M23 (markt)" rtext="in development">
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Restore the ability to configure support for SSLv3. Enabling this
+ protocol will trigger a warning in the logs since it is known to be
+ insecure. (markt)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 9.0.0.M22 (markt)" rtext="release in progress">
<subsection name="Catalina">
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1799515&r1=1799514&r2=1799515&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Wed Jun 21 21:20:01 2017
@@ -1230,8 +1230,8 @@
<p>The names of the protocols to support when communicating with clients.
This should be a list of any combination of the following:
</p>
- <ul><li>SSLv2Hello</li><li>TLSv1</li><li>TLSv1.1</li><li>TLSv1.2</li>
- <li>all</li></ul>
+ <ul><li>SSLv2Hello</li><li>SSLv3</li><li>TLSv1</li><li>TLSv1.1</li>
+ <li>TLSv1.2</li><li>all</li></ul>
<p>Each token in the list can be prefixed with a plus sign ("+")
or a minus sign ("-"). A plus sign adds the protocol, a minus sign
removes it form the current list. The list is built starting from
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
