Author: schultz
Date: Fri Oct 17 15:19:35 2014
New Revision: 1632604
URL: http://svn.apache.org/r1632604
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Add support for TLSv1.1 and TLSv1.2 to APR connector.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
tomcat/trunk/webapps/docs/ssl-howto.xml
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632604&r1=1632603&r2=1632604&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17 15:19:35 2014
@@ -70,7 +70,9 @@ public final class SSL {
public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
- public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1);
+ public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
+ public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
+ public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 |
SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
/*
* Define the SSL verify levels
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1632604&r1=1632603&r2=1632604&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java Fri Oct 17 15:19:35
2014
@@ -27,13 +27,15 @@ public final class SSLContext {
/**
* Initialize new SSL context
* @param pool The pool to use.
- * @param protocol The SSL protocol to use. It can be one of:
+ * @param protocol The SSL protocol to use. It can be any combination of
+ * the following:
* <PRE>
- * SSL_PROTOCOL_SSLV2
- * SSL_PROTOCOL_SSLV3
- * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
- * SSL_PROTOCOL_TLSV1
- * SSL_PROTOCOL_ALL
+ * {@link SSL#SSL_PROTOCOL_SSLV2}
+ * {@link SSL#SSL_PROTOCOL_SSLV3}
+ * {@link SSL#SSL_PROTOCOL_TLSV1}
+ * {@link SSL#SSL_PROTOCOL_TLSV1_1}
+ * {@link SSL#SSL_PROTOCOL_TLSV1_2}
+ * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL)
* </PRE>
* @param mode SSL mode to use
* <PRE>
Modified: tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java?rev=1632604&r1=1632603&r2=1632604&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java Fri
Oct 17 15:19:35 2014
@@ -181,7 +181,7 @@ public class AprSocketContext {
private boolean useSendfile;
- private int sslProtocol = SSL.SSL_PROTOCOL_TLSV1 | SSL.SSL_PROTOCOL_SSLV3;
+ private int sslProtocol = SSL.SSL_PROTOCOL_TLSV1 |
SSL.SSL_PROTOCOL_TLSV1_1 | SSL.SSL_PROTOCOL_TLSV1_2;
/**
* Max time spent in a callback ( will be longer for blocking )
@@ -302,6 +302,10 @@ public class AprSocketContext {
sslProtocol = SSL.SSL_PROTOCOL_SSLV3;
} else if ("TLSv1".equalsIgnoreCase(protocol)) {
sslProtocol = SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
+ sslProtocol = SSL.SSL_PROTOCOL_TLSV1_1;
+ } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
+ sslProtocol = SSL.SSL_PROTOCOL_TLSV1_2;
} else if ("all".equalsIgnoreCase(protocol)) {
sslProtocol = SSL.SSL_PROTOCOL_ALL;
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1632604&r1=1632603&r2=1632604&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri Oct 17
15:19:35 2014
@@ -506,6 +506,10 @@ public class AprEndpoint extends Abstrac
value |= SSL.SSL_PROTOCOL_SSLV3;
} else if ("TLSv1".equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_1;
+ } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_2;
} else if ("all".equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_ALL;
} else {
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1632604&r1=1632603&r2=1632604&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Oct 17 15:19:35 2014
@@ -68,6 +68,10 @@
cache for a web application via JMX. (markt)
</add>
<fix>
+ <bug>53952</bug>: Add support for TLSv1.1 and TLSv1.2 for APR
connector.
+ Based upon a patch by Marcel Šebek. (schultz/jfclere)
+ </fix>
+ <fix>
<bug>55951</bug>: Allow cookies to use UTF-8 encoded values in HTTP
headers. This requires the use of the RFC6265
<strong>CookieProcessor</strong>. (markt)
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1632604&r1=1632603&r2=1632604&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Fri Oct 17 15:19:35 2014
@@ -1368,11 +1368,12 @@
<attribute name="SSLProtocol" required="false">
<p>Protocol which may be used for communicating with clients. The default
- value is <code>all</code>, which is equivalent to <code>TLSv1</code>
+ value is <code>all</code>, which is equivalent to
<code>TLSv1+TLSv1.1+TLSv1.2</code>
with other acceptable values being <code>SSLv2</code>,
- <code>SSLv3</code>, <code>TLSv1</code> and any combination of the three
- protocols concatenated with a plus sign. Note that the protocols
- <code>SSLv2</code> and <code>SSLv3</code> are inherently unsafe.</p>
+ <code>SSLv3</code>, <code>TLSv1</code>, <code>TLSv1.1</code>,
<code>TLSv1.2</code>
+ and any combination of the three protocols concatenated with a plus sign.
+ Note that both protocols <code>SSLv2</code> and <code>SSLv3</code> are
+ inherently unsafe.</p>
</attribute>
<attribute name="SSLVerifyClient" required="false">
Modified: tomcat/trunk/webapps/docs/ssl-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/ssl-howto.xml?rev=1632604&r1=1632603&r2=1632604&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/ssl-howto.xml (original)
+++ tomcat/trunk/webapps/docs/ssl-howto.xml Fri Oct 17 15:19:35 2014
@@ -344,7 +344,7 @@ this:</p>
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
- SSLVerifyClient="optional" SSLProtocol="TLSv1"/>]]></source>
+ SSLVerifyClient="optional"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>]]></source>
<p>You will note that the example SSL connector elements are commented out by
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
