On 17/10/2014 16:31, schu...@apache.org wrote: > Author: schultz > Date: Fri Oct 17 15:31:16 2014 > New Revision: 1632606 > > URL: http://svn.apache.org/r1632606 > Log: > Back-ported r1632604 to fix > https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 > Add support for TLSv1.1 and TLSv1.2 to APR connector.
This triggers an error if you start Tomcat with tc-native 1.1.31 or earlier since the lib doesn't understand the TLSv1.1 or TLSv1.2 settings that are part of ALL. I'm find with that for now - this is a development branch after all. My current thinking is get a 1.1.32 release out ASAP, bump the minimum required version to 1.1.32 and then do a 8.0.x release (and probably 7.0.x and 6.0.x as well). I'm planning to do some prep work (change log, version updates etc) for a 1.1.32 release over the weekend with a tag early next week. Unless anyone else wants to take a crack at the release... Mark > > Modified: > tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java > tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java > tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java > tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml > tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml > tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml > > Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java > URL: > http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1632606&r1=1632605&r2=1632606&view=diff > ============================================================================== > --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original) > +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 17 > 15:31:16 2014 > @@ -72,7 +72,9 @@ public final class SSL { > public static final int SSL_PROTOCOL_SSLV2 = (1<<0); > public static final int SSL_PROTOCOL_SSLV3 = (1<<1); > public static final int SSL_PROTOCOL_TLSV1 = (1<<2); > - public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1); > + public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3); > + public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4); > + public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | > SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2); > > /* > * Define the SSL verify levels > > Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java > URL: > http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1632606&r1=1632605&r2=1632606&view=diff > ============================================================================== > --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java (original) > +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java Fri Oct > 17 15:31:16 2014 > @@ -27,13 +27,15 @@ public final class SSLContext { > /** > * Initialize new SSL context > * @param pool The pool to use. > - * @param protocol The SSL protocol to use. It can be one of: > + * @param protocol The SSL protocol to use. It can be any combination of > + * the following: > * <PRE> > - * SSL_PROTOCOL_SSLV2 > - * SSL_PROTOCOL_SSLV3 > - * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3 > - * SSL_PROTOCOL_TLSV1 > - * SSL_PROTOCOL_ALL > + * {@link SSL#SSL_PROTOCOL_SSLV2} > + * {@link SSL#SSL_PROTOCOL_SSLV3} > + * {@link SSL#SSL_PROTOCOL_TLSV1} > + * {@link SSL#SSL_PROTOCOL_TLSV1_1} > + * {@link SSL#SSL_PROTOCOL_TLSV1_2} > + * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL) > * </PRE> > * @param mode SSL mode to use > * <PRE> > > Modified: > tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java > URL: > http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1632606&r1=1632605&r2=1632606&view=diff > ============================================================================== > --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java > (original) > +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri > Oct 17 15:31:16 2014 > @@ -503,6 +503,10 @@ public class AprEndpoint extends Abstrac > value |= SSL.SSL_PROTOCOL_SSLV3; > } else if ("TLSv1".equalsIgnoreCase(protocol)) { > value |= SSL.SSL_PROTOCOL_TLSV1; > + } else if ("TLSv1.1".equalsIgnoreCase(protocol)) { > + value |= SSL.SSL_PROTOCOL_TLSV1_1; > + } else if ("TLSv1.2".equalsIgnoreCase(protocol)) { > + value |= SSL.SSL_PROTOCOL_TLSV1_2; > } else if ("all".equalsIgnoreCase(protocol)) { > value |= SSL.SSL_PROTOCOL_ALL; > } else { > > Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml > URL: > http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1632606&r1=1632605&r2=1632606&view=diff > ============================================================================== > --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) > +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct 17 15:31:16 2014 > @@ -59,6 +59,9 @@ > <subsection name="Catalina"> > <changelog> > <fix> > + <bug>53952</bug>: Add support for TLSv1.1 and TLSv1.2 for APR > connector. > + Based upon a patch by Marcel Šebek. (schultz/jfclere) > + </fix> > <bug>57022</bug>: Ensure SPNEGO authentication continues to work with > the JNDI Realm using delegated credentials with recent Oracle JREs. > (markt) > > Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml > URL: > http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1632606&r1=1632605&r2=1632606&view=diff > ============================================================================== > --- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original) > +++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Fri Oct 17 15:31:16 2014 > @@ -1243,11 +1243,12 @@ > > <attribute name="SSLProtocol" required="false"> > <p>Protocol which may be used for communicating with clients. The > default > - value is <code>all</code>, which is equivalent to <code>TLSv1</code> > + value is <code>all</code>, which is equivalent to > <code>TLSv1+TLSv1.1+TLSv1.2</code> > with other acceptable values being <code>SSLv2</code>, > - <code>SSLv3</code>, <code>TLSv1</code> and any combination of the three > - protocols concatenated with a plus sign. Note that the protocols > - <code>SSLv2</code> and <code>SSLv3</code> are inherently unsafe.</p> > + <code>SSLv3</code>, <code>TLSv1</code>, <code>TLSv1.1</code>, > <code>TLSv1.2</code> > + and any combination of the three protocols concatenated with a plus > sign. > + Note that both protocols <code>SSLv2</code> and <code>SSLv3</code> are > + inherently unsafe.</p> > </attribute> > > <attribute name="SSLVerifyClient" required="false"> > > Modified: tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml > URL: > http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml?rev=1632606&r1=1632605&r2=1632606&view=diff > ============================================================================== > --- tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml (original) > +++ tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml Fri Oct 17 15:31:16 2014 > @@ -368,7 +368,7 @@ this:</p> > scheme="https" secure="true" SSLEnabled="true" > SSLCertificateFile="/usr/local/ssl/server.crt" > SSLCertificateKeyFile="/usr/local/ssl/server.pem" > - SSLVerifyClient="optional" SSLProtocol="TLSv1"/> > + SSLVerifyClient="optional" > SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/> > </source> > </p> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
