Author: rjung
Date: Mon Jul 11 15:44:10 2011
New Revision: 1145209
URL: http://svn.apache.org/viewvc?rev=1145209&view=rev
Log:
BZ 51477: Support all SSL protocol combinations in the
APR/native connector.
This only works when using the native library
version 1.1.21 or later which is not yet released.
Older tcnative versions will use an unchanged
config parser. Otherwise non-supported protocol
combinations would be unnoticed.
For easier review of the changes in AprEndpoint
use "svn -x -w" to ignore white space.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/Library.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/tomcat/jni/Library.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/Library.java?rev=1145209&r1=1145208&r2=1145209&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/Library.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/Library.java Mon Jul 11 15:44:10
2011
@@ -102,6 +102,8 @@ public final class Library {
public static int TCN_PATCH_VERSION = 0;
/* TCN_IS_DEV_VERSION */
public static int TCN_IS_DEV_VERSION = 0;
+ /* TCN_FULL_VERSION */
+ public static int TCN_FULL_VERSION = 0;
/* APR_MAJOR_VERSION */
public static int APR_MAJOR_VERSION = 0;
/* APR_MINOR_VERSION */
@@ -178,6 +180,9 @@ public final class Library {
TCN_MINOR_VERSION = version(0x02);
TCN_PATCH_VERSION = version(0x03);
TCN_IS_DEV_VERSION = version(0x04);
+ TCN_FULL_VERSION = TCN_MAJOR_VERSION * 1000 +
+ TCN_MINOR_VERSION * 100 +
+ TCN_PATCH_VERSION;
APR_MAJOR_VERSION = version(0x11);
APR_MINOR_VERSION = version(0x12);
APR_PATCH_VERSION = version(0x13);
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1145209&r1=1145208&r2=1145209&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Mon Jul 11
15:44:10 2011
@@ -471,24 +471,52 @@ public class AprEndpoint extends Abstrac
}
// SSL protocol
- int value = SSL.SSL_PROTOCOL_ALL;
- if ("SSLv2".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV2;
- } else if ("SSLv3".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV3;
- } else if ("TLSv1".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_TLSV1;
- } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3;
- } else if ("all".equalsIgnoreCase(SSLProtocol) ||
- SSLProtocol == null || SSLProtocol.length() == 0) {
- // NOOP, use the default defined above
+ int value;
+ // This branch can be removed, once the required version is at
least 1.1.21.
+ if (Library.TCN_FULL_VERSION <= 1120) {
+ value = SSL.SSL_PROTOCOL_ALL;
+ if ("SSLv2".equalsIgnoreCase(SSLProtocol)) {
+ value = SSL.SSL_PROTOCOL_SSLV2;
+ } else if ("SSLv3".equalsIgnoreCase(SSLProtocol)) {
+ value = SSL.SSL_PROTOCOL_SSLV3;
+ } else if ("TLSv1".equalsIgnoreCase(SSLProtocol)) {
+ value = SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) {
+ value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3;
+ } else if ("all".equalsIgnoreCase(SSLProtocol) ||
+ SSLProtocol == null || SSLProtocol.length() == 0) {
+ // NOOP, use the default defined above
+ } else {
+ // Protocol not recognized, fail to start as it is safer
than
+ // continuing with the default which might enable more
than the
+ // is required
+ throw new Exception(sm.getString(
+ "endpoint.apr.invalidSslProtocol", SSLProtocol));
+ }
} else {
- // Protocol not recognized, fail to start as it is safer than
- // continuing with the default which might enable more than the
- // is required
- throw new Exception(sm.getString(
- "endpoint.apr.invalidSslProtocol", SSLProtocol));
+ value = SSL.SSL_PROTOCOL_NONE;
+ if (SSLProtocol == null || SSLProtocol.length() == 0) {
+ value = SSL.SSL_PROTOCOL_ALL;
+ } else {
+ for (String protocol : SSLProtocol.split("\\+")) {
+ protocol = protocol.trim();
+ if ("SSLv2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV2;
+ } else if ("SSLv3".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV3;
+ } else if ("TLSv1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("all".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_ALL;
+ } else {
+ // Protocol not recognized, fail to start as it is
safer than
+ // continuing with the default which might enable
more than the
+ // is required
+ throw new Exception(sm.getString(
+ "endpoint.apr.invalidSslProtocol",
SSLProtocol));
+ }
+ }
+ }
}
// Create SSL Context
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1145209&r1=1145208&r2=1145209&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Jul 11 15:44:10 2011
@@ -80,6 +80,11 @@
<subsection name="Coyote">
<changelog>
<update>
+ <bug>51477</bug>Support all SSL protocol combinations in the APR/native
+ connector. This only works when using the native library version 1.1.21
+ or later, which is not yet released. (rjung)
+ </update>
+ <update>
Various refactorings to reduce code duplication and unnecessary code in
the connectors. (markt)
</update>
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1145209&r1=1145208&r2=1145209&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Mon Jul 11 15:44:10 2011
@@ -141,9 +141,9 @@
either a blocking Java based connector or an APR/native based
connector.
If the <code>PATH</code> (Windows) or <code>LD_LIBRARY_PATH</code> (on
most unix systems) environment variables contain the Tomcat native
- library, the native/APR connector will be used. If the native library
+ library, the APR/native connector will be used. If the native library
cannot be found, the blocking Java based connector will be used. Note
- that the native/APR connector has different settings for HTTPS than the
+ that the APR/native connector has different settings for HTTPS than the
Java connectors.<br/>
To use an explicit protocol rather than rely on the auto-switching
mechanism described above, the following values may be used:<br/>
@@ -1149,8 +1149,12 @@
<attribute name="SSLProtocol" required="false">
<p>Protocol which may be used for communicating with clients. The default
- is "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1"
- and "SSLv2+SSLv3".</p>
+ value is <code>all</code>, with other acceptable values being
<code>SSLv2</code>,
+ <code>SSLv3</code>, <code>TLSv1</code> and <code>SSLv2+SSLv3</code>.
+ Starting with version 1.1.21 of the Tomcat native
+ library any combination of the three protocols concatenated with a
+ plus sign will be supported. Note that the protocol <code>SSLv2</code>
+ is inherently unsafe.</p>
</attribute>
<attribute name="SSLVerifyClient" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
