Mark, On 12/23/14 5:09 AM, ma...@apache.org wrote: > Author: markt > Date: Tue Dec 23 10:09:03 2014 > New Revision: 1647530 > > URL: http://svn.apache.org/r1647530 > Log: > Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57391 > Allow TLS Session Tickets to be disabled. > Patch provided by Josiah Purtlebaugh. > > Modified: > tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java > tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java > tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties > tomcat/trunk/webapps/docs/config/http.xml > > Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1647530&r1=1647529&r2=1647530&view=diff > ============================================================================== > --- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java > (original) > +++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Tue Dec > 23 10:09:03 2014 > @@ -183,6 +183,13 @@ public class Http11AprProtocol extends A > public boolean getSSLDisableCompression() { return > ((AprEndpoint)getEndpoint()).getSSLDisableCompression(); } > public void setSSLDisableCompression(boolean disable) { > ((AprEndpoint)getEndpoint()).setSSLDisableCompression(disable); } > > + /** > + * Disable TLS Session Tickets (RFC 4507). > + */ > + public boolean getSSLDisableSessionTickets() { return > ((AprEndpoint)getEndpoint()).getSSLDisableSessionTickets(); } > + public void setSSLDisableSessionTickets(boolean enable) { > ((AprEndpoint)getEndpoint()).setSSLDisableSessionTickets(enable); } > + > + > // ----------------------------------------------------- JMX related > methods > > @Override > > Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1647530&r1=1647529&r2=1647530&view=diff > ============================================================================== > --- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) > +++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Dec 23 > 10:09:03 2014 > @@ -271,6 +271,12 @@ public class AprEndpoint extends Abstrac > public String getSSLCARevocationFile() { return SSLCARevocationFile; } > public void setSSLCARevocationFile(String SSLCARevocationFile) { > this.SSLCARevocationFile = SSLCARevocationFile; } > > + /** > + * SSL disable TLS Session Tickets (RFC 4507). > + */ > + protected boolean SSLDisableSessionTickets = false; > + public boolean getSSLDisableSessionTickets() { return > SSLDisableSessionTickets; } > + public void setSSLDisableSessionTickets(boolean > SSLDisableSessionTickets) { this.SSLDisableSessionTickets = > SSLDisableSessionTickets; } > > /** > * SSL verify client. > @@ -575,6 +581,24 @@ public class AprEndpoint extends Abstrac > SSL.versionString())); > } > } > + > + // Disable TLS Session Tickets (RFC4507) to protect perfect > forward secrecy > + if (SSLDisableSessionTickets) { > + boolean disableSessionTicketsSupported = false; > + try { > + disableSessionTicketsSupported = > SSL.hasOp(SSL.SSL_OP_NO_TICKET); > + if (disableSessionTicketsSupported) > + SSLContext.setOptions(sslContext, > SSL.SSL_OP_NO_TICKET);
I think if the user requests disabled session tickets and the SSL
library doesn't "have" that option-code, we should fail, here, instead
of silently ignoring the request. I believe this is justified based upon
the security implications of the setting.
-chris
> + } catch (UnsatisfiedLinkError e) {
> + // Ignore
> + }
> +
> + if (!disableSessionTicketsSupported) {
> + // OpenSSL is too old to support TLS Session Tickets.
> +
> log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
> + SSL.versionString()));
> + }
> + }
>
> // List the ciphers that the client is permitted to negotiate
> SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
>
> Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1647530&r1=1647529&r2=1647530&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
> (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Tue
> Dec 23 10:09:03 2014
> @@ -19,6 +19,7 @@ endpoint.err.handshake=Handshake failed
> endpoint.err.unexpected=Unexpected error processing socket
> endpoint.warn.noExector=Failed to process socket [{0}] in state [{1}]
> because the executor had already been shutdown
> endpoint.warn.noDisableCompression='Disable compression' option is not
> supported by the SSL library {0}
> +endpoint.warn.noDisableSessionTickets='Disable TLS Session Tickets' option
> is not supported by the SSL library {0}
> endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not
> supported by the SSL library {0}
> endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the
> SSL library {0}
> endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock.
> Forcing hard socket shutdown.
>
> Modified: tomcat/trunk/webapps/docs/config/http.xml
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1647530&r1=1647529&r2=1647530&view=diff
> ==============================================================================
> --- tomcat/trunk/webapps/docs/config/http.xml (original)
> +++ tomcat/trunk/webapps/docs/config/http.xml Tue Dec 23 10:09:03 2014
> @@ -1348,6 +1348,11 @@
> "10".</p>
> </attribute>
>
> + <attribute name="SSLDisableSessionTickets" required="false">
> + <p>Disables use of TLS Session Tickets (RFC 4507) if set to
> + <code>true</code>. Default is <code>false</code>.</p>
> + </attribute>
> +
> </attributes>
>
> </subsection>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
signature.asc
Description: OpenPGP digital signature
