Author: markt
Date: Tue Dec 23 10:16:20 2014
New Revision: 1647533
URL: http://svn.apache.org/r1647533
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57391
Allow TLS Session Tickets to be disabled.
Patch provided by Josiah Purtlebaugh.
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
Propchange: tomcat/tc8.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Dec 23 10:16:20 2014
@@ -1 +1 @@
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042
+/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1647533&r1=1647532&r2=1647533&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
Tue Dec 23 10:16:20 2014
@@ -196,6 +196,13 @@ public class Http11AprProtocol extends A
public boolean getSSLDisableCompression() { return
((AprEndpoint)endpoint).getSSLDisableCompression(); }
public void setSSLDisableCompression(boolean disable) {
((AprEndpoint)endpoint).setSSLDisableCompression(disable); }
+ /**
+ * Disable TLS Session Tickets (RFC 4507).
+ */
+ public boolean getSSLDisableSessionTickets() { return
((AprEndpoint)endpoint).getSSLDisableSessionTickets(); }
+ public void setSSLDisableSessionTickets(boolean enable) {
((AprEndpoint)endpoint).setSSLDisableSessionTickets(enable); }
+
+
// ----------------------------------------------------- JMX related
methods
@Override
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1647533&r1=1647532&r2=1647533&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue
Dec 23 10:16:20 2014
@@ -278,6 +278,12 @@ public class AprEndpoint extends Abstrac
public String getSSLCARevocationFile() { return SSLCARevocationFile; }
public void setSSLCARevocationFile(String SSLCARevocationFile) {
this.SSLCARevocationFile = SSLCARevocationFile; }
+ /**
+ * SSL disable TLS Session Tickets (RFC 4507).
+ */
+ protected boolean SSLDisableSessionTickets = false;
+ public boolean getSSLDisableSessionTickets() { return
SSLDisableSessionTickets; }
+ public void setSSLDisableSessionTickets(boolean SSLDisableSessionTickets)
{ this.SSLDisableSessionTickets = SSLDisableSessionTickets; }
/**
* SSL verify client.
@@ -582,6 +588,24 @@ public class AprEndpoint extends Abstrac
SSL.versionString()));
}
}
+
+ // Disable TLS Session Tickets (RFC4507) to protect perfect
forward secrecy
+ if (SSLDisableSessionTickets) {
+ boolean disableSessionTicketsSupported = false;
+ try {
+ disableSessionTicketsSupported =
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
+ if (disableSessionTicketsSupported)
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_NO_TICKET);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+
+ if (!disableSessionTicketsSupported) {
+ // OpenSSL is too old to support TLS Session Tickets.
+
log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
+ SSL.versionString()));
+ }
+ }
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1647533&r1=1647532&r2=1647533&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
(original)
+++
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
Tue Dec 23 10:16:20 2014
@@ -19,6 +19,7 @@ endpoint.err.handshake=Handshake failed
endpoint.err.unexpected=Unexpected error processing socket
endpoint.warn.noExector=Failed to process socket [{0}] in state [{1}] because
the executor had already been shutdown
endpoint.warn.noDisableCompression='Disable compression' option is not
supported by the SSL library {0}
+endpoint.warn.noDisableSessionTickets='Disable TLS Session Tickets' option is
not supported by the SSL library {0}
endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported
by the SSL library {0}
endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the
SSL library {0}
endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock.
Forcing hard socket shutdown.
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1647533&r1=1647532&r2=1647533&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Tue Dec 23 10:16:20 2014
@@ -230,6 +230,11 @@
<bug>57347</bug>: AJP response contains wrong status reason phrase
(rjung)
</fix>
+ <add>
+ <bug>57391</bug>: Allow TLS Session Tickets to be disabled when using
+ the APR/native HTTP connector. Patch provided by Josiah Purtlebaugh.
+ (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml?rev=1647533&r1=1647532&r2=1647533&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml Tue Dec 23 10:16:20 2014
@@ -1387,6 +1387,11 @@
"10".</p>
</attribute>
+ <attribute name="SSLDisableSessionTickets" required="false">
+ <p>Disables use of TLS Session Tickets (RFC 4507) if set to
+ <code>true</code>. Default is <code>false</code>.</p>
+ </attribute>
+
</attributes>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
