Author: kkolinko
Date: Thu Nov 13 17:39:41 2014
New Revision: 1639415
URL: http://svn.apache.org/r1639415
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56780
Enable Tomcat to start when using a IBM JRE in strict SP800-131a mode
This back-ports the fix as well as some additional changes to more closely
align the Tomcat 6 code with the code in Tomcat 7.
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEFactory.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1639415&r1=1639414&r2=1639415&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Nov 13 17:39:41 2014
@@ -28,13 +28,7 @@ None
PATCHES PROPOSED TO BACKPORT:
[ New proposals should be added at the end of the list ]
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56780
- Enable Tomcat to start when using a IBM JRE in strict SP800-131a mode
- This back-ports the fix as well as some additional changes to more closely
- align the Tomcat 6 code with the code in Tomcat 7.
- https://people.apache.org/~kkolinko/patches/2014-11-09_tc6_bug56780-v3.patch
- +1: kkolinko, markt, remm
- -1:
+None
PATCHES/ISSUES THAT ARE STALLED:
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java?rev=1639415&r1=1639414&r2=1639415&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java Thu
Nov 13 17:39:41 2014
@@ -85,6 +85,7 @@ public class Http11Protocol extends Abst
protected Http11ConnectionHandler cHandler = new
Http11ConnectionHandler(this);
protected JIoEndpoint endpoint = new JIoEndpoint();
+ @Override
protected final AbstractEndpoint getEndpoint() {
return endpoint;
}
@@ -155,7 +156,8 @@ public class Http11Protocol extends Abst
if (isSSLEnabled()) {
sslImplementation =
SSLImplementation.getInstance(sslImplementationName);
- socketFactory = sslImplementation.getServerSocketFactory();
+ socketFactory = sslImplementation.getServerSocketFactory(
+ (String) getAttribute("sslProtocol"));
endpoint.setServerSocketFactory(socketFactory);
} else if (socketFactoryName != null) {
socketFactory = (ServerSocketFactory)
Class.forName(socketFactoryName).newInstance();
@@ -556,6 +558,7 @@ public class Http11Protocol extends Abst
protected ConcurrentLinkedQueue<Http11Processor> recycledProcessors =
new ConcurrentLinkedQueue<Http11Processor>() {
protected AtomicInteger size = new AtomicInteger(0);
+ @Override
public boolean offer(Http11Processor processor) {
boolean offer = (proto.processorCache == -1) ? true :
(size.get() < proto.processorCache);
//avoid over growing our cache or add after we have stopped
@@ -570,6 +573,7 @@ public class Http11Protocol extends Abst
return result;
}
+ @Override
public Http11Processor poll() {
Http11Processor result = super.poll();
if ( result != null ) {
@@ -578,6 +582,7 @@ public class Http11Protocol extends Abst
return result;
}
+ @Override
public void clear() {
Http11Processor next = poll();
while ( next != null ) {
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java?rev=1639415&r1=1639414&r2=1639415&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
Thu Nov 13 17:39:41 2014
@@ -68,7 +68,7 @@ abstract public class SSLImplementation
if( JSSEImplementationClass.equals(className) ) {
return new org.apache.tomcat.util.net.jsse.JSSEImplementation();
}
- Class clazz=Class.forName(className);
+ Class<?> clazz=Class.forName(className);
return (SSLImplementation)clazz.newInstance();
} catch (Exception e){
if(logger.isDebugEnabled())
@@ -81,6 +81,7 @@ abstract public class SSLImplementation
abstract public String getImplementationName();
abstract public ServerSocketFactory getServerSocketFactory();
+ abstract public ServerSocketFactory getServerSocketFactory(String
sslProtocol);
abstract public SSLSupport getSSLSupport(Socket sock);
/**
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEFactory.java?rev=1639415&r1=1639414&r2=1639415&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEFactory.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEFactory.java
Thu Nov 13 17:39:41 2014
@@ -19,20 +19,19 @@ package org.apache.tomcat.util.net.jsse;
import java.net.Socket;
+import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.ServerSocketFactory;
-import javax.net.ssl.SSLSession;
-/**
+/**
* Factory interface to construct components based on the JSSE version
* in use.
*
* @author Bill Barker
* @author Filip Hanik
*/
-
public class JSSEFactory {
/**
@@ -43,14 +42,24 @@ public class JSSEFactory {
}
/**
+ * Returns the ServerSocketFactory to use.
+ * @param sslProtocol Name of SSL protocol, e.g. "TLS". It is used to
+ * obtain an instance of <code>javax.net.ssl.SSLContext</code>. If it is
+ * <code>null</code> then a default will be used.
+ */
+ public ServerSocketFactory getSocketFactory(String sslProtocol) {
+ return new JSSESocketFactory(sslProtocol);
+ }
+
+ /**
* returns the SSLSupport attached to this socket.
*/
public SSLSupport getSSLSupport(Socket socket) {
return new JSSESupport((SSLSocket)socket);
}
-
+
public SSLSupport getSSLSupport(SSLSession session) {
return new JSSESupport(session);
}
-};
+}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java?rev=1639415&r1=1639414&r2=1639415&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
Thu Nov 13 17:39:41 2014
@@ -47,20 +47,30 @@ public class JSSEImplementation extends
}
+ @Override
public String getImplementationName(){
return "JSSE";
}
-
+
+ @Override
public ServerSocketFactory getServerSocketFactory() {
ServerSocketFactory ssf = factory.getSocketFactory();
return ssf;
- }
+ }
+
+ @Override
+ public ServerSocketFactory getServerSocketFactory(String sslProtocol) {
+ ServerSocketFactory ssf = factory.getSocketFactory(sslProtocol);
+ return ssf;
+ }
+ @Override
public SSLSupport getSSLSupport(Socket s) {
SSLSupport ssls = factory.getSSLSupport(s);
return ssls;
}
+ @Override
public SSLSupport getSSLSupport(SSLSession session) {
SSLSupport ssls = factory.getSSLSupport(session);
return ssls;
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1639415&r1=1639414&r2=1639415&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Thu Nov 13 17:39:41 2014
@@ -41,11 +41,11 @@ import java.security.cert.CollectionCert
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
-import java.util.Vector;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
@@ -79,65 +79,26 @@ import org.apache.tomcat.util.res.String
public class JSSESocketFactory
extends org.apache.tomcat.util.net.ServerSocketFactory {
+ private static final org.apache.juli.logging.Log log =
+ org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
private static StringManager sm =
StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
- private static final boolean RFC_5746_SUPPORTED;
-
- public static final String[] DEFAULT_SERVER_PROTOCOLS;
-
// defaults
- static String defaultProtocol = "TLS";
- static boolean defaultClientAuth = false;
- static String defaultKeystoreType = "JKS";
+ private static final String defaultProtocol = "TLS";
+ private static final String defaultKeystoreType = "JKS";
private static final String defaultKeystoreFile
= System.getProperty("user.home") + "/.keystore";
- private static final String defaultKeyPass = "changeit";
private static final int defaultSessionCacheSize = 0;
private static final int defaultSessionTimeout = 86400;
+ private static final String ALLOW_ALL_SUPPORTED_CIPHERS = "ALL";
+ private static final String defaultKeyPass = "changeit";
- static org.apache.juli.logging.Log log =
- org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
-
- static {
- boolean result = false;
- SSLContext context;
- String[] protocols = null;
- try {
- context = SSLContext.getInstance("TLS");
- context.init(null, null, new SecureRandom());
- SSLServerSocketFactory ssf = context.getServerSocketFactory();
- String ciphers[] = ssf.getSupportedCipherSuites();
- for (String cipher : ciphers) {
- if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) {
- result = true;
- break;
- }
- }
-
- // There is no API to obtain the default server protocols and
cipher
- // suites. Having inspected the OpenJDK code there the same results
- // can be achieved via the standard API but there is no guarantee
- // that every JVM implementation determines the defaults the same
- // way. Therefore the defaults are determined by creating a server
- // socket and requested the configured values.
-
- SSLServerSocket socket = (SSLServerSocket)
ssf.createServerSocket();
- // Filter out all the insecure protocols
- protocols = filterInsecureProcotols(socket.getEnabledProtocols());
- } catch (NoSuchAlgorithmException e) {
- // Assume no RFC 5746 support
- } catch (KeyManagementException e) {
- // Assume no RFC 5746 support
- } catch (IOException e) {
- // Unable to determine default ciphers/protocols so use none
- }
- RFC_5746_SUPPORTED = result;
- DEFAULT_SERVER_PROTOCOLS = protocols;
- }
+ private final boolean rfc5746Supported;
+ private final String[] defaultServerProtocols;
+ private final String[] defaultServerCipherSuites;
protected boolean initialized;
- protected String clientAuth = "false";
protected SSLServerSocketFactory sslProxy = null;
protected String[] enabledCiphers;
protected boolean allowUnsafeLegacyRenegotiation = false;
@@ -154,8 +115,80 @@ public class JSSESocketFactory
public JSSESocketFactory () {
+ this(null);
+ }
+
+ public JSSESocketFactory(String sslProtocol) {
+
+ if (sslProtocol == null) {
+ sslProtocol = defaultProtocol;
+ }
+
+ SSLContext context;
+ try {
+ context = SSLContext.getInstance(sslProtocol);
+ context.init(null, null, null);
+ } catch (NoSuchAlgorithmException e) {
+ // This is fatal for the connector so throw an exception to prevent
+ // it from starting
+ throw new IllegalArgumentException(e);
+ } catch (KeyManagementException e) {
+ // This is fatal for the connector so throw an exception to prevent
+ // it from starting
+ throw new IllegalArgumentException(e);
+ }
+
+ // Supported cipher suites aren't accessible directly from the
+ // SSLContext so use the SSL server socket factory
+ SSLServerSocketFactory ssf = context.getServerSocketFactory();
+ String supportedCiphers[] = ssf.getSupportedCipherSuites();
+ boolean found = false;
+ for (String cipher : supportedCiphers) {
+ if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) {
+ found = true;
+ break;
+ }
+ }
+ rfc5746Supported = found;
+
+ // There is no standard way to determine the default protocols and
+ // cipher suites so create a server socket to see what the defaults are
+ SSLServerSocket socket;
+ try {
+ socket = (SSLServerSocket) ssf.createServerSocket();
+ } catch (IOException e) {
+ // This is very likely to be fatal but there is a slim chance that
+ // the JSSE implementation just doesn't like creating unbound
+ // sockets so allow the code to proceed.
+ defaultServerCipherSuites = new String[0];
+ defaultServerProtocols = new String[0];
+ log.warn(sm.getString("jsse.noDefaultCiphers"));
+ log.warn(sm.getString("jsse.noDefaultProtocols"));
+ return;
+ }
+
+ defaultServerCipherSuites = socket.getEnabledCipherSuites();
+ if (defaultServerCipherSuites.length == 0) {
+ log.warn(sm.getString("jsse.noDefaultCiphers"));
+ }
+
+ // Filter out all the SSL protocols (SSLv2 and SSLv3) from the defaults
+ // since they are no longer considered secure
+ List<String> filteredProtocols = new ArrayList<String>();
+ for (String protocol : socket.getEnabledProtocols()) {
+ if (protocol.contains("SSL")) {
+ log.debug(sm.getString("jsse.excludeDefaultProtocol",
protocol));
+ continue;
+ }
+ filteredProtocols.add(protocol);
+ }
+ defaultServerProtocols = filteredProtocols.toArray(new
String[filteredProtocols.size()]);
+ if (defaultServerProtocols.length == 0) {
+ log.warn(sm.getString("jsse.noDefaultProtocols"));
+ }
}
+ @Override
public ServerSocket createSocket (int port)
throws IOException
{
@@ -165,6 +198,7 @@ public class JSSESocketFactory
return socket;
}
+ @Override
public ServerSocket createSocket (int port, int backlog)
throws IOException
{
@@ -174,6 +208,7 @@ public class JSSESocketFactory
return socket;
}
+ @Override
public ServerSocket createSocket (int port, int backlog,
InetAddress ifAddress)
throws IOException
@@ -185,6 +220,7 @@ public class JSSESocketFactory
return socket;
}
+ @Override
public Socket acceptSocket(ServerSocket socket)
throws IOException
{
@@ -198,10 +234,11 @@ public class JSSESocketFactory
return asock;
}
+ @Override
public void handshake(Socket sock) throws IOException {
((SSLSocket)sock).startHandshake();
- if (!allowUnsafeLegacyRenegotiation && !RFC_5746_SUPPORTED) {
+ if (!allowUnsafeLegacyRenegotiation && !rfc5746Supported) {
// Prevent further handshakes by removing all cipher suites
((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
}
@@ -216,70 +253,41 @@ public class JSSESocketFactory
* @return Array of SSL cipher suites to be enabled, or null if none of the
* requested ciphers are supported
*/
- protected String[] getEnabledCiphers(String requestedCiphers,
+ protected String[] getEnabledCiphers(String requestedCiphersStr,
String[] supportedCiphers) {
- String[] enabledCiphers = null;
+ if ((requestedCiphersStr == null)
+ || (requestedCiphersStr.trim().length() == 0)) {
+ return defaultServerCipherSuites;
+ }
- if (requestedCiphers != null) {
- Vector vec = null;
- String cipher = requestedCiphers;
- int index = requestedCiphers.indexOf(',');
- if (index != -1) {
- int fromIndex = 0;
- while (index != -1) {
- cipher = requestedCiphers.substring(fromIndex,
index).trim();
- if (cipher.length() > 0) {
- /*
- * Check to see if the requested cipher is among the
- * supported ciphers, i.e., may be enabled
- */
- for (int i=0; supportedCiphers != null
- && i<supportedCiphers.length; i++) {
- if (supportedCiphers[i].equals(cipher)) {
- if (vec == null) {
- vec = new Vector();
- }
- vec.addElement(cipher);
- break;
- }
- }
- }
- fromIndex = index+1;
- index = requestedCiphers.indexOf(',', fromIndex);
- } // while
- cipher = requestedCiphers.substring(fromIndex);
- }
-
- if (cipher != null) {
- cipher = cipher.trim();
- if (cipher.length() > 0) {
- /*
- * Check to see if the requested cipher is among the
- * supported ciphers, i.e., may be enabled
- */
- for (int i=0; supportedCiphers != null
- && i<supportedCiphers.length; i++) {
- if (supportedCiphers[i].equals(cipher)) {
- if (vec == null) {
- vec = new Vector();
- }
- vec.addElement(cipher);
- break;
- }
- }
- }
+ List<String> requestedCiphers = new ArrayList<String>();
+ for (String rc : requestedCiphersStr.split(",")) {
+ final String cipher = rc.trim();
+ if (cipher.length() > 0) {
+ requestedCiphers.add(cipher);
}
+ }
+ if (requestedCiphers.isEmpty()) {
+ return defaultServerCipherSuites;
+ }
+ List<String> ciphers = new ArrayList<String>(requestedCiphers);
+ ciphers.retainAll(Arrays.asList(supportedCiphers));
- if (vec != null) {
- enabledCiphers = new String[vec.size()];
- vec.copyInto(enabledCiphers);
+ if (ciphers.isEmpty()) {
+ log.warn(sm.getString("jsse.requested_ciphers_not_supported",
+ requestedCiphersStr));
+ }
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("jsse.enableable_ciphers", ciphers));
+ if (ciphers.size() != requestedCiphers.size()) {
+ List<String> skipped = new ArrayList<String>(requestedCiphers);
+ skipped.removeAll(ciphers);
+ log.debug(sm.getString("jsse.unsupported_ciphers", skipped));
}
- } else {
- enabledCiphers = sslProxy.getDefaultCipherSuites();
}
- return enabledCiphers;
+ return ciphers.toArray(new String[ciphers.size()]);
}
/*
@@ -527,8 +535,12 @@ public class JSSESocketFactory
// Determine which cipher suites to enable
String requestedCiphers = (String)attributes.get("ciphers");
- enabledCiphers = getEnabledCiphers(requestedCiphers,
-
sslProxy.getSupportedCipherSuites());
+ if (ALLOW_ALL_SUPPORTED_CIPHERS.equals(requestedCiphers)) {
+ enabledCiphers = sslProxy.getSupportedCipherSuites();
+ } else {
+ enabledCiphers = getEnabledCiphers(requestedCiphers,
+ sslProxy.getSupportedCipherSuites());
+ }
allowUnsafeLegacyRenegotiation =
"true".equals(attributes.get("allowUnsafeLegacyRenegotiation"));
@@ -714,7 +726,7 @@ public class JSSESocketFactory
*/
protected void setEnabledProtocols(SSLServerSocket socket, String
[]protocols){
if (protocols == null) {
- socket.setEnabledProtocols(DEFAULT_SERVER_PROTOCOLS);
+ socket.setEnabledProtocols(defaultServerProtocols);
} else {
socket.setEnabledProtocols(protocols);
}
@@ -738,7 +750,7 @@ public class JSSESocketFactory
}
if (requestedProtocols == null) {
- return DEFAULT_SERVER_PROTOCOLS;
+ return defaultServerProtocols;
}
String[] requestedProtocolsArr = requestedProtocols.split(",");
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=1639415&r1=1639414&r2=1639415&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
Thu Nov 13 17:39:41 2014
@@ -17,8 +17,13 @@ jsse.alias_no_key_entry=Alias name {0} d
jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due
to {2}
jsse.invalid_truststore_password=The provided trust store password could not
be used to unlock and/or validate the trust store. Retrying to access the trust
store with a null password which will skip validation.
jsse.invalidTrustManagerClassName=The trustManagerClassName provided [{0}]
does not implement javax.net.ssl.TrustManager
-jsse.excludeDefaultProtocol=The SSL protocol [{0}] which is enabled by default
in this JRE was excluded from the defaults used by Tomcat
+jsse.requested_ciphers_not_supported=None of the ciphers specified are
supported by the SSL engine : {0}
+jsse.enableable_ciphers=Specified SSL ciphers that are supported and
enableable are : {0}
+jsse.unsupported_ciphers=Some specified SSL ciphers are not supported by the
SSL engine : {0}
jsse.unsupportedProtocol=The specified SSL protocol [{0}] is not supported
+jsse.excludeDefaultProtocol=The SSL protocol [{0}] which is enabled by default
in this JRE was excluded from the defaults used by Tomcat
+jsse.noDefaultCiphers=Unable to determine a default for ciphers. Set an
explicit value to ensure the connector can start.
+jsse.noDefaultProtocols=Unable to determine a default for sslEnabledProtocols.
Set an explicit value to ensure the connector can start.
jsseSupport.clientCertError=Error trying to obtain a certificate from the
client
jseeSupport.certTranslationError=Error translating certificate [{0}]
jsseSupport.noCertWant=No client certificate sent for want
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1639415&r1=1639414&r2=1639415&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Nov 13 17:39:41 2014
@@ -59,6 +59,10 @@
Based upon a patch by Marcel Šebek. (schultz/jfclere)
</fix>
<fix>
+ <bug>56780</bug>: Enable Tomcat to start when using SSL with an IBM JRE
+ in strict SP800-131a mode. (markt/kkolinko)
+ </fix>
+ <fix>
<bug>57102</bug>: Fix bug that meant sslEnabledProtocols setting was
not
recognised for the HTTPS NIO connector. (markt)
</fix>
@@ -79,6 +83,11 @@
<bug>57116</bug>: Do not fallback to default protocol list for HTTPS
BIO
connector if <code>sslEnabledProtocols</code> has no matches. (markt)
</fix>
+ <update>
+ Align calculation of default ciphers and default protocols for JSSE
+ HTTPS connectors with Tomcat 7 which allows for per connector defaults
+ based on the choice of <code>sslProtocol</code>. (markt/kkolinko)
+ </update>
</changelog>
</subsection>
<subsection name="Web applications">
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=1639415&r1=1639414&r2=1639415&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Thu Nov 13 17:39:41 2014
@@ -788,11 +788,15 @@
</attribute>
<attribute name="ciphers" required="false">
- <p>The comma separated list of encryption ciphers that this socket is
- allowed to use. By default, the default ciphers for the JVM will be used.
- Note that this usually means that the weak export grade ciphers will be
- included in the list of available ciphers. The ciphers are specified
using
- the JSSE cipher naming convention.</p>
+ <p>The comma separated list of encryption ciphers to support for HTTPS
+ connections. If specified, only the ciphers that are listed and supported
+ by the SSL implementation will be used. By default, the default ciphers
+ for the JVM will be used. Note that this usually means that the weak
+ export grade ciphers will be included in the list of available ciphers.
+ The ciphers are specified using the JSSE cipher naming convention. The
+ special value of <code>ALL</code> will enable all supported ciphers. This
+ will include many that are not secure. <code>ALL</code> is intended for
+ testing purposes only.</p>
</attribute>
<attribute name="keyAlias" required="false">
@@ -861,8 +865,9 @@
<attribute name="sslEnabledProtocols" required="false">
<p>The comma separated list of SSL protocols to support for HTTPS
connections. If specified, only the protocols that are listed and
- supported by the SSL implementation will be enabled. If not specified,
- the JVM default is used. The permitted values may be obtained from the
+ supported by the SSL implementation will be enabled. If not specified,
+ the JVM default (excluding SSLv2 and SSLv3 if the JVM enables either or
+ both of them by default) is used. The permitted values may be obtained
from the
JVM documentation for the allowed values for
<code>SSLSocket.setEnabledProtocols()</code> e.g.
<a
href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#jssenames";>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
