Author: markt
Date: Wed Oct 10 11:56:09 2018
New Revision: 1843428
URL: http://svn.apache.org/viewvc?rev=1843428&view=rev
Log:
JSSE only supports TLS client authentication as part of the initial handshake.
Log a warning if a JSSE connector is configured with TLS 1.3 and optional
authentication.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1843428&r1=1843427&r2=1843428&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
[UTF-8] (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
[UTF-8] Wed Oct 10 11:56:09 2018
@@ -129,6 +129,7 @@ channel.nio.ssl.foundHttp=Found an plain
jsse.invalid_truststore_password=The provided trust store password could not
be used to unlock and/or validate the trust store. Retrying to access the trust
store with a null password which will skip validation.
jsse.keystore_load_failed=Failed to load keystore type [{0}] with path [{1}]
due to [{2}]
jsse.ssl3=SSLv3 has been explicitly enabled. This protocol is known to be
insecure.
+jsse.tls13.auth=The JSSE TLS 1.3 implementation does not support
authentication after the initial handshake and is therefore incompatible with
optional client authentication
sniExtractor.clientHelloInvalid=The ClientHello message was not correctly
formatted
sniExtractor.clientHelloTooBig=The ClientHello was not presented in a single
TLS record so no SNI information could be extracted
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java?rev=1843428&r1=1843427&r2=1843428&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java Wed Oct 10
11:56:09 2018
@@ -31,6 +31,7 @@ import java.util.Set;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.file.ConfigFileLoader;
+import org.apache.tomcat.util.net.SSLHostConfig.CertificateVerification;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -72,6 +73,13 @@ public abstract class SSLUtilBase implem
}
this.enabledProtocols = enabledProtocols.toArray(new
String[enabledProtocols.size()]);
+ if (enabledProtocols.contains(Constants.SSL_PROTO_TLSv1_3) &&
+ (sslHostConfig.getCertificateVerification() ==
CertificateVerification.OPTIONAL ||
+ sslHostConfig.getCertificateVerification() ==
CertificateVerification.OPTIONAL) &&
+ !isTls13RenegAuthAvailable() && warnOnSkip) {
+ log.warn(sm.getString("jsse.tls13.auth"));
+ }
+
// Calculate the enabled ciphers
List<String> configuredCiphers = sslHostConfig.getJsseCipherNames();
Set<String> implementedCiphers = getImplementedCiphers();
@@ -209,4 +217,5 @@ public abstract class SSLUtilBase implem
protected abstract Set<String> getImplementedCiphers();
protected abstract Log getLog();
protected abstract boolean isTls13Available();
+ protected abstract boolean isTls13RenegAuthAvailable();
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1843428&r1=1843427&r2=1843428&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Wed Oct 10
11:56:09 2018
@@ -177,6 +177,13 @@ public class JSSEUtil extends SSLUtilBas
@Override
+ protected boolean isTls13RenegAuthAvailable() {
+ // TLS 1.3 does not support authentication after the initial handshake
+ return false;
+ }
+
+
+ @Override
public SSLContext createSSLContext(List<String> negotiableProtocols)
throws NoSuchAlgorithmException {
return new JSSESSLContext(sslHostConfig.getSslProtocol());
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java?rev=1843428&r1=1843427&r2=1843428&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java Wed
Oct 10 11:56:09 2018
@@ -77,6 +77,13 @@ public class OpenSSLUtil extends SSLUtil
@Override
+ protected boolean isTls13RenegAuthAvailable() {
+ // OpenSSL does support authentication after the initial handshake
+ return true;
+ }
+
+
+ @Override
public SSLContext createSSLContext(List<String> negotiableProtocols)
throws Exception {
return new OpenSSLContext(certificate, negotiableProtocols);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
