[tomcat] branch 8.5.x updated: Tomcat Native 2.x onwards will require SSL

Tue, 31 May 2022 13:03:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new 19e66ad3ad Tomcat Native 2.x onwards will require SSL
19e66ad3ad is described below

commit 19e66ad3adaa275081b5473c959486de9c3ab379
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 31 21:02:33 2022 +0100

    Tomcat Native 2.x onwards will require SSL
---
 java/org/apache/catalina/core/AprLifecycleListener.java | 11 +++++++++++
 java/org/apache/catalina/core/LocalStrings.properties   |  1 +
 webapps/docs/config/listeners.xml                       |  3 +++
 3 files changed, 15 insertions(+)

diff --git a/java/org/apache/catalina/core/AprLifecycleListener.java 
b/java/org/apache/catalina/core/AprLifecycleListener.java
index 4fdbc6c500..49c5f58d8e 100644
--- a/java/org/apache/catalina/core/AprLifecycleListener.java
+++ b/java/org/apache/catalina/core/AprLifecycleListener.java
@@ -227,6 +227,17 @@ public class AprLifecycleListener implements 
LifecycleListener {
             log.warn(sm.getString("aprListener.aprInitError", t.getMessage()), 
t);
             return;
         }
+        if (major > 1 && "off".equalsIgnoreCase(SSLEngine)) {
+            log.error(sm.getString("aprListener.sslRequired", SSLEngine, 
Library.versionString()));
+            try {
+                // Tomcat Native 2.x onwards requires SSL
+                terminateAPR();
+            } catch (Throwable t) {
+                t = ExceptionUtils.unwrapInvocationTargetException(t);
+                ExceptionUtils.handleThrowable(t);
+            }
+            return;
+        }
         if (apver < rqver) {
             log.error(sm.getString("aprListener.tcnInvalid",
                     Library.versionString(),
diff --git a/java/org/apache/catalina/core/LocalStrings.properties 
b/java/org/apache/catalina/core/LocalStrings.properties
index 8e10444ba9..823718ee70 100644
--- a/java/org/apache/catalina/core/LocalStrings.properties
+++ b/java/org/apache/catalina/core/LocalStrings.properties
@@ -84,6 +84,7 @@ aprListener.initializingFIPS=Initializing FIPS mode...
 aprListener.requireNotInFIPSMode=AprLifecycleListener is configured to require 
the library to already be in FIPS mode, but it was not in FIPS mode
 aprListener.skipFIPSInitialization=Already in FIPS mode; skipping FIPS 
initialization.
 aprListener.sslInit=Failed to initialize the SSLEngine.
+aprListener.sslRequired=[{0}] is not a valid value for SSLEngine when using 
version [{1}] of the Tomcat Native library since SSL is required for version 
2.x onwards.
 aprListener.tcnInvalid=An incompatible version [{0}] of the Apache Tomcat 
Native library is installed, while Tomcat requires version [{1}]
 aprListener.tcnValid=Loaded Apache Tomcat Native library [{0}] using APR 
version [{1}].
 aprListener.tcnVersion=An older version [{0}] of the Apache Tomcat Native 
library is installed, while Tomcat recommends a minimum version of [{1}]
diff --git a/webapps/docs/config/listeners.xml 
b/webapps/docs/config/listeners.xml
index 4a636e817f..c1cf3b95c7 100644
--- a/webapps/docs/config/listeners.xml
+++ b/webapps/docs/config/listeners.xml
@@ -103,6 +103,9 @@
         <p>See the <a href="http://www.openssl.org/";>Official OpenSSL 
website</a>
         for more details on supported SSL hardware engines and manufacturers.
         </p>
+        <p>Tomcat Native 2.x onwards requires SSL so if SSLEngine is set to
+        <code>off</code> when using Tomcat Native 2.x onwards, the APR/native
+        library will be disabled.</p>
       </attribute>
 
       <attribute name="SSLRandomSeed" required="false">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to