changelog.xml

rjung Sat, 19 Aug 2017 13:31:55 -0700

Author: rjung
Date: Sat Aug 19 20:31:31 2017
New Revision: 1805525

URL: http://svn.apache.org/viewvc?rev=1805525&view=rev
Log:
When using a Java connector in combination with
the OpenSSL TLS implementation, do not configure
each SSL connection object via the OpenSSLEngine.
For OpenSSL the SSL object inherits its settings
from the SSL_CTX which we have already configured.


Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1805525&r1=1805524&r2=1805525&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
Sat Aug 19 20:31:31 2017
@@ -413,7 +413,7 @@ public class OpenSSLContext implements o
     @Override
     public SSLEngine createSSLEngine() {
         return new OpenSSLEngine(ctx, defaultProtocol, false, sessionContext,
-                (negotiableProtocols != null && negotiableProtocols.size() > 
0));
+                (negotiableProtocols != null && negotiableProtocols.size() > 
0), initialized);
     }
 
     @Override

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1805525&r1=1805524&r2=1805525&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Sat 
Aug 19 20:31:31 2017
@@ -164,6 +164,7 @@ public final class OpenSSLEngine extends
     private final String fallbackApplicationProtocol;
     private final OpenSSLSessionContext sessionContext;
     private final boolean alpn;
+    private final boolean initialized;
 
     private String selectedProtocol = null;
 
@@ -173,15 +174,38 @@ public final class OpenSSLEngine extends
      * Creates a new instance
      *
      * @param sslCtx an OpenSSL {@code SSL_CTX} object
-     * @param alloc the {@link ByteBufAllocator} that will be used by this
-     * engine
+     * @param fallbackApplicationProtocol the fallback application protocol
      * @param clientMode {@code true} if this is used for clients, {@code 
false}
      * otherwise
      * @param sessionContext the {@link OpenSslSessionContext} this
      * {@link SSLEngine} belongs to.
+     * @param alpn {@code true} if alpn should be used, {@code false}
+     * otherwise
+     */
+    OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
+            boolean clientMode, OpenSSLSessionContext sessionContext,
+            boolean alpn) {
+        this(sslCtx, fallbackApplicationProtocol, clientMode, sessionContext,
+             alpn, false);
+    }
+
+    /**
+     * Creates a new instance
+     *
+     * @param sslCtx an OpenSSL {@code SSL_CTX} object
+     * @param fallbackApplicationProtocol the fallback application protocol
+     * @param clientMode {@code true} if this is used for clients, {@code 
false}
+     * otherwise
+     * @param sessionContext the {@link OpenSslSessionContext} this
+     * {@link SSLEngine} belongs to.
+     * @param alpn {@code true} if alpn should be used, {@code false}
+     * otherwise
+     * @param initialized {@code true} if this instance gets its protocol,
+     * cipher and client verification from the {@code SSL_CTX} {@code sslCtx}
      */
     OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
-            boolean clientMode, OpenSSLSessionContext sessionContext, boolean 
alpn) {
+            boolean clientMode, OpenSSLSessionContext sessionContext, boolean 
alpn,
+            boolean initialized) {
         if (sslCtx == 0) {
             throw new 
IllegalArgumentException(sm.getString("engine.noSSLContext"));
         }
@@ -194,6 +218,7 @@ public final class OpenSSLEngine extends
         this.clientMode = clientMode;
         this.sessionContext = sessionContext;
         this.alpn = alpn;
+        this.initialized = initialized;
     }
 
     @Override
@@ -697,6 +722,9 @@ public final class OpenSSLEngine extends
 
     @Override
     public synchronized void setEnabledCipherSuites(String[] cipherSuites) {
+        if (initialized) {
+            return;
+        }
         if (cipherSuites == null) {
             throw new 
IllegalArgumentException(sm.getString("engine.nullCipherSuite"));
         }
@@ -772,6 +800,9 @@ public final class OpenSSLEngine extends
 
     @Override
     public synchronized void setEnabledProtocols(String[] protocols) {
+        if (initialized) {
+            return;
+        }
         if (protocols == null) {
             // This is correct from the API docs
             throw new IllegalArgumentException();
@@ -970,6 +1001,9 @@ public final class OpenSSLEngine extends
 
     @Override
     public void setUseClientMode(boolean clientMode) {
+        if (initialized) {
+            return;
+        }
         if (clientMode != this.clientMode) {
             throw new UnsupportedOperationException();
         }
@@ -1001,6 +1035,9 @@ public final class OpenSSLEngine extends
     }
 
     private void setClientAuth(ClientAuthMode mode) {
+        if (initialized) {
+            return;
+        }
         if (clientMode) {
             return;
         }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1805525&r1=1805524&r2=1805525&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Aug 19 20:31:31 2017
@@ -48,6 +48,12 @@
   <subsection name="Catalina">
     <changelog>
       <fix>
+        When using a Java connector in combination with the OpenSSL TLS
+        implementation, do not configure each SSL connection object via
+        the OpenSSLEngine. For OpenSSL the SSL object inherits its
+        settings from the SSL_CTX which we have already configured.
+      </fix>
+      <fix>
         Before generating an error page in the <code>ErrorReportValve</code>,
         check to see if I/O is still permitted for the associated connection
         before generating the error page so that the page generation can be



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1805525 - in /tomcat/trunk: java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java webapps/docs/changelog.xml

Reply via email to