Author: markt
Date: Fri Oct 17 08:31:36 2014
New Revision: 1632514
URL: http://svn.apache.org/r1632514
Log:
Disable SSLv3 by default for JSSE HTTPS connectors (BIO, NIO, NIO2)
Ensure SSLv2 is disabled (the JRE should do this anyway)
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1632512
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1632514&r1=1632513&r2=1632514&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Fri Oct 17 08:31:36 2014
@@ -129,7 +129,16 @@ public class JSSESocketFactory implement
SSLServerSocket socket = (SSLServerSocket)
ssf.createServerSocket();
ciphers = socket.getEnabledCipherSuites();
- protocols = socket.getEnabledProtocols();
+ // Filter out all the SSL protocols (SSLv2 and SSLv3) from the
+ // default protocols since they are no longer considered secure
+ List<String> filteredProtocols = new ArrayList<String>();
+ for (String protocol : socket.getEnabledProtocols()) {
+ if (protocol.contains("SSL")) {
+ continue;
+ }
+ filteredProtocols.add(protocol);
+ }
+ protocols = filteredProtocols.toArray(new
String[filteredProtocols.size()]);
} catch (NoSuchAlgorithmException e ) {
// Assume no RFC 5746 support if an SSLContext could not be created
// Unable to determine default ciphers/protocols so use none
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1632514&r1=1632513&r2=1632514&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct 17 08:31:36 2014
@@ -74,6 +74,15 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <add>
+ Disable SSLv3 by default for JSSE based HTTPS connectors (BIO and NIO).
+ The change also ensures that SSLv2 is disabled for these connectors
+ although SSLv2 should already be disabled by default by the JRE.
(markt)
+ </add>
+ </changelog>
+ </subsection>
<subsection name="Jasper">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
