Re: svn commit: r1805529 - in /tomcat/trunk/java/org/apache/tomcat/util/net: AprEndpoint.java SSLHostConfig.java openssl/OpenSSLContext.java

Sun, 20 Aug 2017 04:39:48 -0700 

Am 20.08.2017 um 11:15 schrieb Mark Thomas:

On 19/08/17 22:35, rj...@apache.org wrote:

Author: rjung
Date: Sat Aug 19 21:35:50 2017
New Revision: 1805529

URL: http://svn.apache.org/viewvc?rev=1805529&view=rev
Log:
Update enabledProtocols and enabledCiphers
in SSLHostConfig after OpenSSLConf has been
applied.

This is needed, because the Manager webapp
feature of listing the current enabled ciphers
relies on SSLHostConfig.

Unfortunately the setters in SSLHostConfig
are not public and OpenSSLContext which needs
to call it is in a sub package.

For now I made the two setters public, any
better suggestions welcome.

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java


<snip/>


+                }
+                if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
+                    enabled.add(Constants.SSL_PROTO_SSLv2);
+                }


Does this mean it is now possible to enable SSLv2? That has been (well,
should have been) deliberately blocked everywhere else.


No, it should not mean this.
That code is used to reverse the observed real SSL options after applying all our configuration back to their meaning in the config world. The code was copied from OpenSSLEngine.getEnabledProtocols() and I think it is fine. 

Our mechanism to block SSLv2 is (and I am not aware of having changed it):

- When using the OpenSSL implementation, the mechanism is based only on
  a block in tcnative itself: r1681982 in tcnative should prevent the
  SSL_CTX from ever allow SSLv2, even if the caller explicitly demands
  it.
  It was added on 2015-05-27 and is part of every 1.2.x release of
  tcnative. The 1.1.x releases do not contain this block!
  The above code change only affects the OpenSSL case, but as written
  above not on the way from the config to the SSL_CTX but instead when
  trying to read the resulting situation back into config language.
  Of course there's the other fallback mechanism, that OpenSSL starting
  with 1.0.2g disables SSLv2, but one could work around that with build
  flags.

- When using JSSE, the only block I found is in JSSEUtil, which
  filters SSLv2 out of the list of implemented protocols. That list in
  turn is used to filter the list of enabled protocols in order to
  only try to enable implemented ones.

Regards and thanks for looking at the commits!

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to