changelog.xml

markt Fri, 17 Oct 2014 01:33:06 -0700

Author: markt
Date: Fri Oct 17 08:31:36 2014
New Revision: 1632514

URL: http://svn.apache.org/r1632514
Log:
Disable SSLv3 by default for JSSE HTTPS connectors (BIO, NIO, NIO2)
Ensure SSLv2 is disabled (the JRE should do this anyway)


Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1632512

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1632514&r1=1632513&r2=1632514&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 (original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 Fri Oct 17 08:31:36 2014
@@ -129,7 +129,16 @@ public class JSSESocketFactory implement
 
             SSLServerSocket socket = (SSLServerSocket) 
ssf.createServerSocket();
             ciphers = socket.getEnabledCipherSuites();
-            protocols = socket.getEnabledProtocols();
+            // Filter out all the SSL protocols (SSLv2 and SSLv3) from the
+            // default protocols since they are no longer considered secure
+            List<String> filteredProtocols = new ArrayList<String>();
+            for (String protocol : socket.getEnabledProtocols()) {
+                if (protocol.contains("SSL")) {
+                    continue;
+                }
+                filteredProtocols.add(protocol);
+            }
+            protocols = filteredProtocols.toArray(new 
String[filteredProtocols.size()]);
         } catch (NoSuchAlgorithmException e ) {
             // Assume no RFC 5746 support if an SSLContext could not be created
             // Unable to determine default ciphers/protocols so use none

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1632514&r1=1632513&r2=1632514&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct 17 08:31:36 2014
@@ -74,6 +74,15 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Coyote">
+    <changelog>
+      <add>
+        Disable SSLv3 by default for JSSE based HTTPS connectors (BIO and NIO).
+        The change also ensures that SSLv2 is disabled for these connectors
+        although SSLv2 should already be disabled by default by the JRE. 
(markt)
+      </add>
+    </changelog>
+  </subsection>
   <subsection name="Jasper">
     <changelog>
       <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1632514 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java webapps/docs/changelog.xml

Reply via email to