On 20/08/17 12:38, Rainer Jung wrote: > Am 20.08.2017 um 11:15 schrieb Mark Thomas: >> On 19/08/17 22:35, rj...@apache.org wrote: >>> Author: rjung >>> Date: Sat Aug 19 21:35:50 2017 >>> New Revision: 1805529 >>> >>> URL: http://svn.apache.org/viewvc?rev=1805529&view=rev >>> Log: >>> Update enabledProtocols and enabledCiphers >>> in SSLHostConfig after OpenSSLConf has been >>> applied. >>> >>> This is needed, because the Manager webapp >>> feature of listing the current enabled ciphers >>> relies on SSLHostConfig. >>> >>> Unfortunately the setters in SSLHostConfig >>> are not public and OpenSSLContext which needs >>> to call it is in a sub package. >>> >>> For now I made the two setters public, any >>> better suggestions welcome. >>> >>> Modified: >>> tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java >>> tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java >>> >>> tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java >>> >> <snip/> >> >>> + } >>> + if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) { >>> + enabled.add(Constants.SSL_PROTO_SSLv2); >>> + } >> >> Does this mean it is now possible to enable SSLv2? That has been (well, >> should have been) deliberately blocked everywhere else. > > No, it should not mean this. > > That code is used to reverse the observed real SSL options after > applying all our configuration back to their meaning in the config > world. The code was copied from OpenSSLEngine.getEnabledProtocols() and > I think it is fine.
Thanks for confirming. Mark > > Our mechanism to block SSLv2 is (and I am not aware of having changed it): > > - When using the OpenSSL implementation, the mechanism is based only on > a block in tcnative itself: r1681982 in tcnative should prevent the > SSL_CTX from ever allow SSLv2, even if the caller explicitly demands > it. > It was added on 2015-05-27 and is part of every 1.2.x release of > tcnative. The 1.1.x releases do not contain this block! > The above code change only affects the OpenSSL case, but as written > above not on the way from the config to the SSL_CTX but instead when > trying to read the resulting situation back into config language. > Of course there's the other fallback mechanism, that OpenSSL starting > with 1.0.2g disables SSLv2, but one could work around that with build > flags. > > - When using JSSE, the only block I found is in JSSEUtil, which > filters SSLv2 out of the list of implemented protocols. That list in > turn is used to filter the list of enabled protocols in order to > only try to enable implemented ones. > > Regards and thanks for looking at the commits! > > Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
