Hi Chris,
On 03.10.2012 18:02, Christopher Schultz wrote:
Looking at the OpenSSL API (wow, I really miss javadoc), it doesn't
appear that there's any function that can sniff the capabilities of the
engine and check to see whether a particular option is supported.
Instead, the technique of using #ifdefs to conditionally include code
that will return TRUE seems to be the only alternative.
Apache HTTP server uses this style as well.
My addition of this feature now requires an update to tcnative :(
Since I'm going to be adding this, shall I try to add any particular
subset of SSL options that can be checked? I'm actually wondering if
checking for SSL_OP_CIPHER_SERVER_PREFERENCE is worth it, since lack of
support from the OpenSSL library is highly unlikely.
At any rate, the list of supported options appears to be documented here:
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#NOTES
There are only 26 documented options to check.
I'm also wondering if it wouldn't be a good idea to future-proof the
implementation of that method by having it throw an exception if you try
to check the support-status of an option that isn't known to the code.
Something like this:
TCN_IMPLEMENT_CALL(jboolean, SSL, hasOp)(TCN_STDARGS, jint op)
{
int support = 0;
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
if (op & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) {
support |= (op & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
op ^= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
}
#endif
#ifdef SSL_OP_FOO
if (op & SSL_OP_FOO) {
support |= (op & SSL_OP_FOO);
op ^= SSL_OP_FOO; // Clear FOO
}
#endif
#ifdef SSL_OP_BAR
if (op & SSL_OP_BAR) {
support |= (op & SSL_OP_BAR);
op ^= SSL_OP_BAR; // Clear FOO
}
#endif
if(op) {
char message[]
tcn_Throw(e, 'Unsupported OpenSSL option to check: %#08lx', op);
}
return support == op ? JNI_TRUE : JNI_FALSE;
}
This is able to test option bitmasks that contain more than one option:
it will return true if all of them are supported and false if any one of
them is not supported. An exception will be thrown if you try to test
for an option that hasn't been coded into tcnative.
Thoughts?
I think though ugly it's the right approach. You could try to define a
macro, that takes over the
if (op & SSL_OP_FOO) {
support |= (op & SSL_OP_FOO);
op ^= SSL_OP_FOO; // Clear FOO
}
part and makes it a bit shorter. The ifdef unfortunately has to stay
outside of the macro, since you can't use if or ifdef inside a cpp macro.
Totally untested, but maybe something along the lines of
http://people.apache.org/~rjung/patches/hasOp-example.c
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
