Author: schultz
Date: Thu Jan 17 20:41:44 2013
New Revision: 1434907
URL: http://svn.apache.org/viewvc?rev=1434907&view=rev
Log:
Back-ported fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
Enable SSLHonorCipherOrder for APR connector.
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1371283
Merged /tomcat/tc7.0.x/trunk:r1371298,1371302,1371620
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Jan 17 20:41:44 2013
@@ -56,17 +56,6 @@ PATCHES PROPOSED TO BACKPORT:
+1: kkolinko, schultz
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
- Add support for SSLHonorCipherOrder
- http://svn.apache.org/viewvc?view=revision&revision=1371298
- http://svn.apache.org/viewvc?view=revision&revision=1371302 (rolls-back
inadvertent addition of TOMCAT-NEXT.txt)
- http://svn.apache.org/viewvc?view=revision&revision=1371620 (tab -> spaces)
- +1: schultz, kkolinko, jfclere
- -1:
- -- Note that a bug has been found in the feature to backport which
- requires an update to tcnative:
- https://issues.apache.org/bugzilla/show_bug.cgi?id=53969
-
* Chunked encoding improvements
http://people.apache.org/~markt/patches/2012-10-19-chunked-encoding-tc6.patch
+1: markt, kkolinko
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
Thu Jan 17 20:41:44 2013
@@ -416,6 +416,17 @@ public class Http11AprProtocol extends A
/**
+ * SSL honor cipher order.
+ *
+ * Set to <code>true</code> to enforce the <i>server's</i> cipher order
+ * instead of the default which is to allow the client to choose a
+ * preferred cipher.
+ */
+ public boolean getSSLHonorCipherOrder() { return
((AprEndpoint)endpoint).getSSLHonorCipherOrder(); }
+ public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) {
((AprEndpoint)endpoint).setSSLHonorCipherOrder(SSLHonorCipherOrder); }
+
+
+ /**
* SSL certificate file.
*/
public String getSSLCertificateFile() { return
endpoint.getSSLCertificateFile(); }
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Thu Jan 17
20:41:44 2013
@@ -332,4 +332,13 @@ public final class SSL {
* Return last SSL error string
*/
public static native String getLastError();
+
+ /**
+ * Return true if all the requested SSL_OP_* are supported by OpenSSL.
+ *
+ * @param Bitwise-OR of all SSL_OP_* to test.
+ *
+ * @return true if all SSL_OP_* are supported by OpenSSL library.
+ */
+ public static native boolean hasOp(int op);
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu
Jan 17 20:41:44 2013
@@ -519,6 +519,14 @@ public class AprEndpoint extends Abstrac
// --------------------------------------------------------- Public Methods
+ protected boolean SSLHonorCipherOrder = false;
+ /**
+ * Set to <code>true</code> to enforce the <i>server's</i> cipher order
+ * instead of the default which is to allow the client to choose a
+ * preferred cipher.
+ */
+ public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) {
this.SSLHonorCipherOrder = SSLHonorCipherOrder; }
+ public boolean getSSLHonorCipherOrder() { return SSLHonorCipherOrder; }
/**
* Number of keepalive sockets.
@@ -755,6 +763,24 @@ public class AprEndpoint extends Abstrac
// Create SSL Context
sslContext = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
+
+ // Set cipher order: client (default) or server
+ if (SSLHonorCipherOrder) {
+ boolean orderCiphersSupported = false;
+ try {
+ orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ if (orderCiphersSupported)
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!orderCiphersSupported) {
+ // OpenSSL does not support ciphers ordering.
+ log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
+ SSL.versionString()));
+ }
+ }
+
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
// Load Server key and certificate
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
Thu Jan 17 20:41:44 2013
@@ -40,5 +40,11 @@ endpoint.process.fail=Error allocating s
endpoint.sendfile.error=Unexpected sendfile error
endpoint.sendfile.addfail=Sednfile failure: [{0}] {1}
endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version
or the system doesn't support it
+endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the
SSL library {0}
+endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported
by the SSL library {0}
endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock.
Forcing hard socket shutdown.
+endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported
by the SSL library {0}
+endpoint.debug.channelCloseFail=Failed to close channel
+endpoint.debug.socketCloseFail=Failed to close socket
+endpoint.apr.noSslCertFile=Connector attribute SSLCertificateFile must be
defined when using SSL with APR
endpoint.apr.invalidSslProtocol=An invalid value [{0}] was provided for the
SSLProtocol attribute
Modified: tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/apr.xml?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/apr.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/apr.xml Thu Jan 17 20:41:44 2013
@@ -271,6 +271,11 @@
and private key have to be in this file (NOT RECOMMENDED).
</p>
</attribute>
+ <attribute name="SSLHonorCipherOrder" required="false">
+ <p>Set to <code>true</code> to enforce the server's cipher order
+ (from the <code>SSLCipherSuite</code> setting) instead of allowing
+ the client to choose the cipher (which is the default).</p>
+ </attribute>
<attribute name="SSLPassword" required="false">
<p>
Pass phrase for the encrypted private key. If "SSLPassword" is not
provided, the callback function
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1434907&r1=1434906&r2=1434907&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Jan 17 20:41:44 2013
@@ -46,6 +46,11 @@
<section name="Tomcat 6.0.37 (jfclere)">
<subsection name="Catalina">
<changelog>
+ <fix>
+ <bug>53481</bug>: Added support for SSLHonorCipherOrder to allow
+ the server to impose its cipher order on the client. Based on a patch
+ provided by Marcel Å ebek. (schultz)
+ </fix>
<fix>
In FormAuthenticator: If it is configured to change Session IDs,
do the change before displaying the login form. (kkolinko)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
