svn commit: r1633819 - in /tomcat/tc6.0.x/trunk: ./ STATUS.txt java/org/apache/tomcat/jni/SSL.java webapps/docs/apr.xml webapps/docs/changelog.xml

Thu, 23 Oct 2014 07:22:37 -0700 

Author: schultz
Date: Thu Oct 23 14:22:17 2014
New Revision: 1633819

URL: http://svn.apache.org/r1633819
Log:
Back-ported r1632586 to disable SSLv3 for APR/native.

The documentation portion of the original patch has been modified to be less 
intrusive, as the Tomcat 6 APR/native/SSL documentation was arranged somewhat 
differently than Tomcat 7, which is the source of the patch.

Modified:
    tomcat/tc6.0.x/trunk/   (props changed)
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
    tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1632584
  Merged /tomcat/tc7.0.x/trunk:r1632586

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1633819&r1=1633818&r2=1633819&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Oct 23 14:22:17 2014
@@ -85,11 +85,6 @@ PATCHES PROPOSED TO BACKPORT:
                slightly different "null" behavior in Oracle/OpenJDK versus
                IBM JVMs.
 
-* Mitigate POODLE by disabling SSLv3 by default for APR/native
-  http://svn.apache.org/r1632586
-  +1: markt, kkolinko, schultz
-  -1:
-
 * Fix timestamps in Tomcat build to use 24-hour format instead of 12-hour
   one and use UTC timezone. 
   https://people.apache.org/~kkolinko/patches/2014-10-20_tc6_tstamp.patch

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1633819&r1=1633818&r2=1633819&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Thu Oct 23 
14:22:17 2014
@@ -73,7 +73,7 @@ public final class SSL {
     public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
     public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
     public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
-    public static final int SSL_PROTOCOL_ALL   = 
(SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1);
+    public static final int SSL_PROTOCOL_ALL   = (SSL_PROTOCOL_TLSV1);
 
     /*
      * Define the SSL verify levels

Modified: tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/apr.xml?rev=1633819&r1=1633818&r2=1633819&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/apr.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/apr.xml Thu Oct 23 14:22:17 2014
@@ -246,12 +246,13 @@
     <attribute name="SSLProtocol" required="false">
     <p>
       Protocol which may be used for communicating with clients. The default
-      value is <code>all</code>, with other acceptable values being 
<code>SSLv2</code>,
-      <code>SSLv3</code>, <code>TLSv1</code> and <code>SSLv2+SSLv3</code>.
+      value is <code>all</code>, which is equivalent to <code>TLSv1</code>
+      with other acceptable values being <code>SSLv2</code>,
+      <code>SSLv3</code>, and <code>TLSv1</code>.
       Starting with version 1.1.21 of the Tomcat native
-      library any combination of the three protocols concatenated with a
-      plus sign will be supported. Note that the protocol <code>SSLv2</code>
-      is inherently unsafe.
+      library any combination of these protocols concatenated with a
+      plus sign is be supported. Note that both protocols <code>SSLv2</code>
+      and <code>SSLv3</code> are inherently unsafe.
     </p>
     </attribute>
     <attribute name="SSLCipherSuite" required="false">

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1633819&r1=1633818&r2=1633819&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Oct 23 14:22:17 2014
@@ -67,6 +67,10 @@
         Update documentation: the minimum version of Apache Ant required to
         build Tomcat is 1.8.0. (kkolinko)
       </fix>
+      <add>
+        Disable SSLv3 by default for the APR/native HTTPS connector.
+        (markt/schultz)
+      </add>
     </changelog>
   </subsection>
 </section>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to