Author: markt
Date: Thu Nov 6 10:59:53 2014
New Revision: 1637075
URL: http://svn.apache.org/r1637075
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
Add support for TLSv1.1 and TLSv1.2 for APR connector.
Based upon a patch by Marcel Ĺ ebek.
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1637075&r1=1637074&r2=1637075&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Nov 6 10:59:53 2014
@@ -87,15 +87,6 @@ PATCHES PROPOSED TO BACKPORT:
+1: kkolinko, schultz, markt
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
- Add support for TLSv1.1 and TLSv1.2 to APR connector.
- Back-port r1632606 from Tomcat 7.
- http://people.apache.org/~schultz/patches/53952.tc6.patch.2
- +1: schultz, kkolinko, remm
- +1: markt: 'ALL' excluding TLSv1.1 and TLSv1.2 is a bit odd but I see why you
- did it that way.
- -1:
-
PATCHES/ISSUES THAT ARE STALLED:
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1637075&r1=1637074&r2=1637075&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
Thu Nov 6 10:59:53 2014
@@ -62,7 +62,7 @@ public class AprLifecycleListener
protected static final int TCN_REQUIRED_MAJOR = 1;
protected static final int TCN_REQUIRED_MINOR = 1;
protected static final int TCN_REQUIRED_PATCH = 30;
- protected static final int TCN_RECOMMENDED_PV = 30;
+ protected static final int TCN_RECOMMENDED_PV = 32;
// ---------------------------------------------- Properties
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1637075&r1=1637074&r2=1637075&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Thu Nov 6
10:59:53 2014
@@ -73,6 +73,8 @@ public final class SSL {
public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
+ public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
+ public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1);
/*
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1637075&r1=1637074&r2=1637075&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSLContext.java Thu Nov 6
10:59:53 2014
@@ -29,13 +29,15 @@ public final class SSLContext {
/**
* Initialize new SSL context
* @param pool The pool to use.
- * @param protocol The SSL protocol to use. It can be one of:
+ * @param protocol The SSL protocol to use. It can be any combination of
+ * the following:
* <PRE>
- * SSL_PROTOCOL_SSLV2
- * SSL_PROTOCOL_SSLV3
- * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
- * SSL_PROTOCOL_TLSV1
- * SSL_PROTOCOL_ALL
+ * {@link SSL#SSL_PROTOCOL_SSLV2}
+ * {@link SSL#SSL_PROTOCOL_SSLV3}
+ * {@link SSL#SSL_PROTOCOL_TLSV1}
+ * {@link SSL#SSL_PROTOCOL_TLSV1_1}
+ * {@link SSL#SSL_PROTOCOL_TLSV1_2}
+ * {@link SSL#SSL_PROTOCOL_ALL} ( == SSL_PROTOCOL_TLSV1, no SSL)
* </PRE>
* @param mode SSL mode to use
* <PRE>
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1637075&r1=1637074&r2=1637075&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu
Nov 6 10:59:53 2014
@@ -768,6 +768,10 @@ public class AprEndpoint extends Abstrac
value |= SSL.SSL_PROTOCOL_SSLV3;
} else if ("TLSv1".equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_1;
+ } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_2;
} else if ("all".equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_ALL;
} else {
Modified: tomcat/tc6.0.x/trunk/webapps/docs/apr.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/apr.xml?rev=1637075&r1=1637074&r2=1637075&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/apr.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/apr.xml Thu Nov 6 10:59:53 2014
@@ -248,11 +248,15 @@
Protocol which may be used for communicating with clients. The default
value is <code>all</code>, which is equivalent to <code>TLSv1</code>
with other acceptable values being <code>SSLv2</code>,
- <code>SSLv3</code>, and <code>TLSv1</code>.
+ <code>SSLv3</code>, <code>TLSv1</code>, <code>TLSv1.1</code><sup>*</sup>,
+ and <code>TLSv1.2</code><sup>*</sup>.
Starting with version 1.1.21 of the Tomcat native
library any combination of these protocols concatenated with a
plus sign is be supported. Note that both protocols <code>SSLv2</code>
and <code>SSLv3</code> are inherently unsafe.
+ <br />
+ <sup>*<sup> The use of TLSv1.1 and TLSv1.2 require Tomcat native v1.1.32
+ or higher.
</p>
</attribute>
<attribute name="SSLCipherSuite" required="false">
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1637075&r1=1637074&r2=1637075&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Nov 6 10:59:53 2014
@@ -54,6 +54,10 @@
Disable SSLv3 by default for the APR/native HTTPS connector.
(markt/schultz)
</add>
+ <fix>
+ <bug>53952</bug>: Add support for TLSv1.1 and TLSv1.2 for APR
connector.
+ Based upon a patch by Marcel Šebek. (schultz/jfclere)
+ </fix>
</changelog>
</subsection>
<subsection name="Web applications">
Modified: tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml?rev=1637075&r1=1637074&r2=1637075&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml Thu Nov 6 10:59:53 2014
@@ -371,8 +371,7 @@ file installed with Tomcat. For JSSE, i
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
- clientAuth="optional" SSLProtocol="TLSv1"/>
--->
+ SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
</source>
</p>
@@ -545,4 +544,4 @@ For additional discussion on this area,
</body>
-</document>
\ No newline at end of file
+</document>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
