svn commit: r1632512 - in /tomcat/trunk: java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java webapps/docs/changelog.xml

Fri, 17 Oct 2014 01:29:00 -0700 

Author: markt
Date: Fri Oct 17 08:28:32 2014
New Revision: 1632512

URL: http://svn.apache.org/r1632512
Log:
Disable SSLv3 by default for JSSE HTTPS connectors (BIO, NIO, NIO2)
Ensure SSLv2 is disabled (the JRE should do this anyway)

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1632512&r1=1632511&r2=1632512&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
Fri Oct 17 08:28:32 2014
@@ -129,7 +129,16 @@ public class JSSESocketFactory implement
 
             SSLServerSocket socket = (SSLServerSocket) 
ssf.createServerSocket();
             ciphers = socket.getEnabledCipherSuites();
-            protocols = socket.getEnabledProtocols();
+            // Filter out all the SSL protocols (SSLv2 and SSLv3) from the
+            // default protocols since they are no longer considered secure
+            List<String> filteredProtocols = new ArrayList<>();
+            for (String protocol : socket.getEnabledProtocols()) {
+                if (protocol.contains("SSL")) {
+                    continue;
+                }
+                filteredProtocols.add(protocol);
+            }
+            protocols = filteredProtocols.toArray(new 
String[filteredProtocols.size()]);
         } catch (NoSuchAlgorithmException | KeyManagementException | 
IOException |
                 IllegalArgumentException e) {
             // Assume no RFC 5746 support if an SSLContext could not be created

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1632512&r1=1632511&r2=1632512&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Oct 17 08:28:32 2014
@@ -163,6 +163,12 @@
         arrays in the Connectors (e.g. when writing HTTP headers) to improve
         throughput. (markt)
       </scode>
+      <add>
+        Disable SSLv3 by default for JSSE based HTTPS connectors (BIO, NIO and
+        NIO2). The change also ensures that SSLv2 is disabled for these
+        connectors although SSLv2 should already be disabled by default by the
+        JRE. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to