2014-10-17 17:59 GMT+04:00 Christopher Schultz <ch...@christopherschultz.net>: > All, > > On 10/17/14 9:52 AM, schu...@apache.org wrote: >> Author: schultz >> Date: Fri Oct 17 13:52:24 2014 >> New Revision: 1632577 >> >> URL: http://svn.apache.org/r1632577 >> Log: >> Maintain SSL_OP parity with OpenSSL: add SSL_OP_NO_TLSv1_1 and >> SSL_OP_NO_TLSv1_2. >> >> Modified: >> tomcat/trunk/java/org/apache/tomcat/jni/SSL.java >> >> Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632577&r1=1632576&r2=1632577&view=diff >> ============================================================================== >> --- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original) >> +++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17 13:52:24 2014 >> @@ -135,6 +135,9 @@ public final class SSL { >> public static final int SSL_OP_NO_SSLv2 = >> 0x01000000; >> public static final int SSL_OP_NO_SSLv3 = >> 0x02000000; >> public static final int SSL_OP_NO_TLSv1 = >> 0x04000000; >> + public static final int SSL_OP_NO_TLSv1_1 = >> 0x08000000; >> + public static final int SSL_OP_NO_TLSv1_2 = >> 0x10000000; >> + >> public static final int SSL_OP_NO_TICKET = >> 0x00004000; > > I just noticed that this conflicts with the SSL_OPs defined just below > these in SSL.java: > >> /* The next flag deliberately changes the ciphertest, this is a check >> * for the PKCS#1 attack */ >> public static final int SSL_OP_PKCS1_CHECK_1 = >> 0x08000000; >> public static final int SSL_OP_PKCS1_CHECK_2 = >> 0x10000000; > > At some point (1.0, I think), OpenSSL deprecated the PKCS1 constants, > made their values 0x0, and re-purposed the flag values for the TLSv1_1 > and TLSv1_2 options shown above. > > Without checking the OpenSSL version, client code will have no way of > knowing whether they are checking for the TLSv1_x or PKCS1 SSL_OP flags, > especially if the Java code has been compiled against a prior version of > SSL.java (because javac stupidly copies constant values from one class > to another instead of looking them up at runtime, at least the last time > I checked). > > What should we do, here? We can make those constants dynamic, but then > we have to do the OpenSSL library load in the class's static initializer > instead of in APRLifecycleListener. > > We could remove SSL_OP_PKCS1_CHECK but then that means anyone relying on > it for use with OpenSSL 0.9.8* might be out of luck. > > I'm a bit nervous about picking a winner here between OpenSSL 0.9.8 and > 1.0.1. > > Any thoughts? >
I think just mark them as @Deprecated as "Not defined in OpenSSL 1.x", "Removed since OpenSSL 1.0" or "Have different values in different OpenSSL versions". Tomcat code does not use them. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
