Author: kkolinko
Date: Fri Mar 23 17:25:38 2012
New Revision: 1304509
URL: http://svn.apache.org/viewvc?rev=1304509&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51477
Support all SSL/TLS protocol combinations in APR connector.
(rjung)
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/Library.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1304509&r1=1304508&r2=1304509&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Mar 23 17:25:38 2012
@@ -86,15 +86,6 @@ PATCHES PROPOSED TO BACKPORT:
-0: markt - https://issues.apache.org/bugzilla/show_bug.cgi?id=52579#c8
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51477
- Support all SSL/TLS protocol combinations in APR connector.
- trunk/TC7 (applies clean except for docs):
- http://svn.apache.org/viewvc?rev=1145209&view=rev
- TC 6 patch:
-
http://people.apache.org/~rjung/patches/tc6-apr-all-sslprotocol-r1145209.patch
- +1: rjung, mturk, fhanik, markt
- -1:
-
* Replicate Principal in ClusterSingleSignOn.
http://svn.apache.org/viewvc?view=revision&revision=1298299
+1: kfujino, fhanik, markt
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/Library.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/Library.java?rev=1304509&r1=1304508&r2=1304509&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/Library.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/Library.java Fri Mar 23
17:25:38 2012
@@ -85,6 +85,8 @@ public final class Library {
public static int TCN_PATCH_VERSION = 0;
/* TCN_IS_DEV_VERSION */
public static int TCN_IS_DEV_VERSION = 0;
+ /* TCN_FULL_VERSION */
+ public static int TCN_FULL_VERSION = 0;
/* APR_MAJOR_VERSION */
public static int APR_MAJOR_VERSION = 0;
/* APR_MINOR_VERSION */
@@ -161,6 +163,9 @@ public final class Library {
TCN_MINOR_VERSION = version(0x02);
TCN_PATCH_VERSION = version(0x03);
TCN_IS_DEV_VERSION = version(0x04);
+ TCN_FULL_VERSION = TCN_MAJOR_VERSION * 1000 +
+ TCN_MINOR_VERSION * 100 +
+ TCN_PATCH_VERSION;
APR_MAJOR_VERSION = version(0x11);
APR_MINOR_VERSION = version(0x12);
APR_PATCH_VERSION = version(0x13);
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1304509&r1=1304508&r2=1304509&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri
Mar 23 17:25:38 2012
@@ -705,24 +705,52 @@ public class AprEndpoint {
if (SSLEnabled) {
// SSL protocol
- int value = SSL.SSL_PROTOCOL_ALL;
- if ("SSLv2".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV2;
- } else if ("SSLv3".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV3;
- } else if ("TLSv1".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_TLSV1;
- } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3;
- } else if ("all".equalsIgnoreCase(SSLProtocol) ||
- SSLProtocol == null || SSLProtocol.length() == 0) {
- // NOOP, use the default defined above
+ int value;
+ // This branch can be removed, once the required version is at
least 1.1.21.
+ if (Library.TCN_FULL_VERSION <= 1120) {
+ value = SSL.SSL_PROTOCOL_ALL;
+ if ("SSLv2".equalsIgnoreCase(SSLProtocol)) {
+ value = SSL.SSL_PROTOCOL_SSLV2;
+ } else if ("SSLv3".equalsIgnoreCase(SSLProtocol)) {
+ value = SSL.SSL_PROTOCOL_SSLV3;
+ } else if ("TLSv1".equalsIgnoreCase(SSLProtocol)) {
+ value = SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) {
+ value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3;
+ } else if ("all".equalsIgnoreCase(SSLProtocol) ||
+ SSLProtocol == null || SSLProtocol.length() == 0) {
+ // NOOP, use the default defined above
+ } else {
+ // Protocol not recognized, fail to start as it is safer
than
+ // continuing with the default which might enable more
than the
+ // is required
+ throw new Exception(sm.getString(
+ "endpoint.apr.invalidSslProtocol", SSLProtocol));
+ }
} else {
- // Protocol not recognized, fail to start as it is safer than
- // continuing with the default which might enable more than the
- // is required
- throw new Exception(sm.getString(
- "endpoint.apr.invalidSslProtocol", SSLProtocol));
+ value = SSL.SSL_PROTOCOL_NONE;
+ if (SSLProtocol == null || SSLProtocol.length() == 0) {
+ value = SSL.SSL_PROTOCOL_ALL;
+ } else {
+ for (String protocol : SSLProtocol.split("\\+")) {
+ protocol = protocol.trim();
+ if ("SSLv2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV2;
+ } else if ("SSLv3".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV3;
+ } else if ("TLSv1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("all".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_ALL;
+ } else {
+ // Protocol not recognized, fail to start as it is
safer than
+ // continuing with the default which might enable
more than the
+ // is required
+ throw new Exception(sm.getString(
+ "endpoint.apr.invalidSslProtocol",
SSLProtocol));
+ }
+ }
+ }
}
// Create SSL Context
Modified: tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/apr.xml?rev=1304509&r1=1304508&r2=1304509&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/apr.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/apr.xml Fri Mar 23 17:25:38 2012
@@ -243,8 +243,13 @@
</attribute>
<attribute name="SSLProtocol" required="false">
<p>
- Protocol which may be used for communicating with clients. The default
is "all", with
- other acceptable values being "SSLv2", "SSLv3", "TLSv1", and
"SSLv2+SSLv3".
+ Protocol which may be used for communicating with clients. The default
+ value is <code>all</code>, with other acceptable values being
<code>SSLv2</code>,
+ <code>SSLv3</code>, <code>TLSv1</code> and <code>SSLv2+SSLv3</code>.
+ Starting with version 1.1.21 of the Tomcat native
+ library any combination of the three protocols concatenated with a
+ plus sign will be supported. Note that the protocol <code>SSLv2</code>
+ is inherently unsafe.
</p>
</attribute>
<attribute name="SSLCipherSuite" required="false">
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1304509&r1=1304508&r2=1304509&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri Mar 23 17:25:38 2012
@@ -127,6 +127,11 @@
</subsection>
<subsection name="Coyote">
<changelog>
+ <update>
+ <bug>51477</bug>Support all SSL protocol combinations in the APR/native
+ connector. This only works when using the native library version 1.1.21
+ or later. (rjung)
+ </update>
<fix>
<bug>52606</bug>: Ensure replayed POST bodies are available when using
AJP. (markt)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
