Author: kkolinko
Date: Tue Mar 26 08:48:14 2013
New Revision: 1461021
URL: http://svn.apache.org/r1461021
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
Allow APR connector to disable TLS compression when OpenSSL supports it.
Patch by schultz
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1461021&r1=1461020&r2=1461021&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Tue Mar 26 08:48:14 2013
@@ -80,15 +80,6 @@ PATCHES PROPOSED TO BACKPORT:
+1: kkolinko, markt
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
- Allow APR connector to disable TLS compression when OpenSSL supports it.
- http://svn.apache.org/viewvc?view=revision&revision=1434887
- http://svn.apache.org/viewvc?view=revision&revision=1435769 - Javadoc fix
- http://svn.apache.org/viewvc?view=revision&revision=1457378 - Fix message
broken during backport to TC7
- (r1434882 r1435767 in trunk)
- +1: schultz, markt, kkolinko
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54456
If the client aborts the request, make sure this is communicated to the
application reading the request body.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1461021&r1=1461020&r2=1461021&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
Tue Mar 26 08:48:14 2013
@@ -488,6 +488,12 @@ public class Http11AprProtocol extends A
public int getSSLVerifyDepth() { return endpoint.getSSLVerifyDepth(); }
public void setSSLVerifyDepth(int SSLVerifyDepth) {
endpoint.setSSLVerifyDepth(SSLVerifyDepth); }
+ /**
+ * Disable SSL compression.
+ */
+ public boolean getSSLDisableCompression() { return
((AprEndpoint)endpoint).getSSLDisableCompression(); }
+ public void setSSLDisableCompression(boolean disable) {
((AprEndpoint)endpoint).setSSLDisableCompression(disable); }
+
/**
* When client certificate information is presented in a form other than
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1461021&r1=1461020&r2=1461021&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Tue Mar 26
08:48:14 2013
@@ -116,6 +116,8 @@ public final class SSL {
/* As server, disallow session resumption on renegotiation */
public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION =
0x00010000;
+ /* Don't use compression even if supported */
+ public static final int SSL_OP_NO_COMPRESSION =
0x00020000;
/* If set, always create a new key when using tmp_dh parameters */
public static final int SSL_OP_SINGLE_DH_USE =
0x00100000;
/* Set to always use the tmp_rsa key when doing RSA operations,
@@ -335,8 +337,13 @@ public final class SSL {
/**
* Return true if all the requested SSL_OP_* are supported by OpenSSL.
+ *
+ * <i>Note that for versions of tcnative < 1.1.25, this method will
+ * return <code>true</code> if and only if <code>op</code>=
+ * {@link #SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION} and tcnative
+ * supports that flag.</i>
*
- * @param Bitwise-OR of all SSL_OP_* to test.
+ * @param op Bitwise-OR of all SSL_OP_* to test.
*
* @return true if all SSL_OP_* are supported by OpenSSL library.
*/
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1461021&r1=1461020&r2=1461021&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue
Mar 26 08:48:14 2013
@@ -529,6 +529,20 @@ public class AprEndpoint extends Abstrac
public boolean getSSLHonorCipherOrder() { return SSLHonorCipherOrder; }
/**
+ * Disables compression of the SSL stream. This thwarts CRIME attack
+ * and possibly improves performance by not compressing uncompressible
+ * content such as JPEG, etc.
+ */
+ protected boolean SSLDisableCompression = false;
+
+ /**
+ * Set to <code>true</code> to disable SSL compression. This thwarts CRIME
+ * attack.
+ */
+ public void setSSLDisableCompression(boolean SSLDisableCompression) {
this.SSLDisableCompression = SSLDisableCompression; }
+ public boolean getSSLDisableCompression() { return SSLDisableCompression; }
+
+ /**
* Number of keepalive sockets.
*/
public int getKeepAliveCount() {
@@ -781,6 +795,23 @@ public class AprEndpoint extends Abstrac
}
}
+ // Disable compression if requested
+ if (SSLDisableCompression) {
+ boolean disableCompressionSupported = false;
+ try {
+ disableCompressionSupported =
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
+ if (disableCompressionSupported)
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_NO_COMPRESSION);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!disableCompressionSupported) {
+ // OpenSSL does not support ciphers ordering.
+ log.warn(sm.getString("endpoint.warn.noDisableCompression",
+ SSL.versionString()));
+ }
+ }
+
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
// Load Server key and certificate
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1461021&r1=1461020&r2=1461021&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
Tue Mar 26 08:48:14 2013
@@ -40,6 +40,7 @@ endpoint.process.fail=Error allocating s
endpoint.sendfile.error=Unexpected sendfile error
endpoint.sendfile.addfail=Sednfile failure: [{0}] {1}
endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version
or the system doesn't support it
+endpoint.warn.noDisableCompression='Disable compression' option is not
supported by the SSL library {0}
endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the
SSL library {0}
endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported
by the SSL library {0}
endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock.
Forcing hard socket shutdown.
Modified: tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/apr.xml?rev=1461021&r1=1461020&r2=1461021&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/apr.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/apr.xml Tue Mar 26 08:48:14 2013
@@ -271,6 +271,11 @@
and private key have to be in this file (NOT RECOMMENDED).
</p>
</attribute>
+ <attribute name="SSLDisableCompression" required="false">
+ <p>Disables compression if set to <code>true</code> and OpenSSL supports
+ disabling compression. Default is <code>false</code> which inherits the
+ default compression setting in OpenSSL.</p>
+ </attribute>
<attribute name="SSLHonorCipherOrder" required="false">
<p>Set to <code>true</code> to enforce the server's cipher order
(from the <code>SSLCipherSuite</code> setting) instead of allowing
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1461021&r1=1461020&r2=1461021&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Tue Mar 26 08:48:14 2013
@@ -86,6 +86,10 @@
a Reader to read a request body with a BOM for those encodings that
require byte order marks. (markt)
</fix>
+ <fix>
+ <bug>54324</bug>: Allow APR connector to disable TLS compression
+ if OpenSSL supports it. (schultz)
+ </fix>
</changelog>
</subsection>
<subsection name="Cluster">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
