Author: schultz
Date: Fri Oct 17 14:47:04 2014
New Revision: 1632593
URL: http://svn.apache.org/r1632593
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Add support for TLSv1.2 and TLSv1.1.
Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/ssl.c
tomcat/native/trunk/native/src/sslcontext.c
Modified: tomcat/native/trunk/native/include/ssl_private.h
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1632593&r1=1632592&r2=1632593&view=diff
==============================================================================
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Fri Oct 17 14:47:04 2014
@@ -115,7 +115,9 @@
#define SSL_PROTOCOL_SSLV2 (1<<0)
#define SSL_PROTOCOL_SSLV3 (1<<1)
#define SSL_PROTOCOL_TLSV1 (1<<2)
-#define SSL_PROTOCOL_ALL
(SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#define SSL_PROTOCOL_TLSV1_1 (1<<3)
+#define SSL_PROTOCOL_TLSV1_2 (1<<4)
+#define SSL_PROTOCOL_ALL
(SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#define SSL_MODE_CLIENT (0)
#define SSL_MODE_SERVER (1)
Modified: tomcat/native/trunk/native/src/ssl.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1632593&r1=1632592&r2=1632593&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Fri Oct 17 14:47:04 2014
@@ -190,6 +190,14 @@ static const jint supported_ssl_opts = 0
| SSL_OP_PKCS1_CHECK_2
#endif
+#ifdef SSL_OP_NO_TLSv1_1
+ | SSL_OP_NO_TLSv1_1
+#endif
+
+#ifdef SSL_OP_NO_TLSv1_2
+ | SSL_OP_NO_TLSv1_2
+#endif
+
#ifdef SSL_OP_SINGLE_DH_USE
| SSL_OP_SINGLE_DH_USE
#endif
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1632593&r1=1632592&r2=1632593&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Fri Oct 17 14:47:04 2014
@@ -71,43 +71,64 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
SSL_CTX *ctx = NULL;
UNREFERENCED(o);
- switch (protocol) {
- case SSL_PROTOCOL_SSLV2:
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(SSLv2_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(SSLv2_server_method());
- else
- ctx = SSL_CTX_new(SSLv2_method());
- break;
- case SSL_PROTOCOL_SSLV3:
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(SSLv3_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(SSLv3_server_method());
- else
- ctx = SSL_CTX_new(SSLv3_method());
- break;
- case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3:
- case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLSV1:
- case SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1:
- case SSL_PROTOCOL_ALL:
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(SSLv23_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(SSLv23_server_method());
- else
- ctx = SSL_CTX_new(SSLv23_method());
- break;
- case SSL_PROTOCOL_TLSV1:
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_method());
- break;
+ if (protocol == SSL_PROTOCOL_TLSV1_2) {
+#ifdef SSL_OP_NO_TLSv1_2
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(TLSv1_2_client_method());
+ else if (mode == SSL_MODE_SERVER)
+ ctx = SSL_CTX_new(TLSv1_2_server_method());
+ else
+ ctx = SSL_CTX_new(TLSv1_2_method());
+#endif
+ } else if (protocol == SSL_PROTOCOL_TLSV1_1) {
+#ifdef SSL_OP_NO_TLSv1_1
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(TLSv1_1_client_method());
+ else if (mode == SSL_MODE_SERVER)
+ ctx = SSL_CTX_new(TLSv1_1_server_method());
+ else
+ ctx = SSL_CTX_new(TLSv1_1_method());
+#endif
+ } else if (protocol == SSL_PROTOCOL_TLSV1) {
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(TLSv1_client_method());
+ else if (mode == SSL_MODE_SERVER)
+ ctx = SSL_CTX_new(TLSv1_server_method());
+ else
+ ctx = SSL_CTX_new(TLSv1_method());
+ } else if (protocol == SSL_PROTOCOL_SSLV3) {
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(SSLv3_client_method());
+ else if (mode == SSL_MODE_SERVER)
+ ctx = SSL_CTX_new(SSLv3_server_method());
+ else
+ ctx = SSL_CTX_new(SSLv3_method());
+#ifndef OPENSSL_NO_SSL2
+ } else if (protocol == SSL_PROTOCOL_SSLV2) {
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(SSLv2_client_method());
+ else if (mode == SSL_MODE_SERVER)
+ ctx = SSL_CTX_new(SSLv2_server_method());
+ else
+ ctx = SSL_CTX_new(SSLv2_method());
+#endif
+#ifndef SSL_OP_NO_TLSv1_2
+ } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
+ /* requested but not supported */
+#endif
+#ifndef SSL_OP_NO_TLSv1_1
+ } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
+ /* requested but not supported */
+#endif
+ } else {
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(SSLv23_client_method());
+ else if (mode == SSL_MODE_SERVER)
+ ctx = SSL_CTX_new(SSLv23_server_method());
+ else
+ ctx = SSL_CTX_new(SSLv23_method());
}
+
if (!ctx) {
char err[256];
ERR_error_string(ERR_get_error(), err);
@@ -133,6 +154,14 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv3);
if (!(protocol & SSL_PROTOCOL_TLSV1))
SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1);
+#ifdef SSL_OP_NO_TLSv1_1
+ if (!(protocol & SSL_PROTOCOL_TLSV1_1))
+ SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_1);
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+ if (!(protocol & SSL_PROTOCOL_TLSV1_2))
+ SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2);
+#endif
/*
* Configure additional context ingredients
*/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
