Author: rjung
Date: Sat Aug 19 21:35:50 2017
New Revision: 1805529
URL: http://svn.apache.org/viewvc?rev=1805529&view=rev
Log:
Update enabledProtocols and enabledCiphers
in SSLHostConfig after OpenSSLConf has been
applied.
This is needed, because the Manager webapp
feature of listing the current enabled ciphers
relies on SSLHostConfig.
Unfortunately the setters in SSLHostConfig
are not public and OpenSSLContext which needs
to call it is in a sub package.
For now I made the two setters public, any
better suggestions welcome.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1805529&r1=1805528&r2=1805529&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Sat Aug 19
21:35:50 2017
@@ -581,6 +581,31 @@ public class AprEndpoint extends Abstrac
} catch (Exception e) {
throw new
Exception(sm.getString("endpoint.apr.errApplyConf"), e);
}
+ // Reconfigure the enabled protocols
+ int opts = SSLContext.getOptions(ctx);
+ List<String> enabled = new ArrayList<>();
+ // Seems like there is no way to explicitly disable SSLv2Hello
+ // in OpenSSL so it is always enabled
+ enabled.add(Constants.SSL_PROTO_SSLv2Hello);
+ if ((opts & SSL.SSL_OP_NO_TLSv1) == 0) {
+ enabled.add(Constants.SSL_PROTO_TLSv1);
+ }
+ if ((opts & SSL.SSL_OP_NO_TLSv1_1) == 0) {
+ enabled.add(Constants.SSL_PROTO_TLSv1_1);
+ }
+ if ((opts & SSL.SSL_OP_NO_TLSv1_2) == 0) {
+ enabled.add(Constants.SSL_PROTO_TLSv1_2);
+ }
+ if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
+ enabled.add(Constants.SSL_PROTO_SSLv2);
+ }
+ if ((opts & SSL.SSL_OP_NO_SSLv3) == 0) {
+ enabled.add(Constants.SSL_PROTO_SSLv3);
+ }
+ sslHostConfig.setEnabledProtocols(
+ enabled.toArray(new String[enabled.size()]));
+ // Reconfigure the enabled ciphers
+ sslHostConfig.setEnabledCiphers(SSLContext.getCiphers(ctx));
}
} else {
cctx = 0;
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1805529&r1=1805528&r2=1805529&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Sat Aug 19
21:35:50 2017
@@ -198,7 +198,7 @@ public class SSLHostConfig implements Se
}
- void setEnabledProtocols(String[] enabledProtocols) {
+ public void setEnabledProtocols(String[] enabledProtocols) {
this.enabledProtocols = enabledProtocols;
}
@@ -213,7 +213,7 @@ public class SSLHostConfig implements Se
}
- void setEnabledCiphers(String[] enabledCiphers) {
+ public void setEnabledCiphers(String[] enabledCiphers) {
this.enabledCiphers = enabledCiphers;
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1805529&r1=1805528&r2=1805529&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Sat Aug 19 21:35:50 2017
@@ -397,6 +397,31 @@ public class OpenSSLContext implements o
} catch (Exception e) {
throw new
SSLException(sm.getString("openssl.errApplyConf"), e);
}
+ // Reconfigure the enabled protocols
+ int opts = SSLContext.getOptions(ctx);
+ List<String> enabled = new ArrayList<>();
+ // Seems like there is no way to explicitly disable SSLv2Hello
+ // in OpenSSL so it is always enabled
+ enabled.add(Constants.SSL_PROTO_SSLv2Hello);
+ if ((opts & SSL.SSL_OP_NO_TLSv1) == 0) {
+ enabled.add(Constants.SSL_PROTO_TLSv1);
+ }
+ if ((opts & SSL.SSL_OP_NO_TLSv1_1) == 0) {
+ enabled.add(Constants.SSL_PROTO_TLSv1_1);
+ }
+ if ((opts & SSL.SSL_OP_NO_TLSv1_2) == 0) {
+ enabled.add(Constants.SSL_PROTO_TLSv1_2);
+ }
+ if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
+ enabled.add(Constants.SSL_PROTO_SSLv2);
+ }
+ if ((opts & SSL.SSL_OP_NO_SSLv3) == 0) {
+ enabled.add(Constants.SSL_PROTO_SSLv3);
+ }
+ sslHostConfig.setEnabledProtocols(
+ enabled.toArray(new String[enabled.size()]));
+ // Reconfigure the enabled ciphers
+ sslHostConfig.setEnabledCiphers(SSLContext.getCiphers(ctx));
}
sessionContext = new OpenSSLSessionContext(ctx);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
