svn commit: r1660504 - in /tomcat/jk/trunk: native/apache-1.3/mod_jk.c native/apache-2.0/mod_jk.c native/common/jk_ajp_common.c native/common/jk_ajp_common.h native/common/jk_service.h xdocs/miscellaneous/changelog.xml xdocs/reference/apache.xml

Tue, 17 Feb 2015 13:35:38 -0800 

Author: rjung
Date: Tue Feb 17 21:35:17 2015
New Revision: 1660504

URL: http://svn.apache.org/r1660504
Log:
AJP: Forward name of SSL protocol used for handling
the request (SSLv3, TLSv1, TLSv1.1, TLSv1.2).

This is related to Tomcat BZ 57540.

Modified:
    tomcat/jk/trunk/native/apache-1.3/mod_jk.c
    tomcat/jk/trunk/native/apache-2.0/mod_jk.c
    tomcat/jk/trunk/native/common/jk_ajp_common.c
    tomcat/jk/trunk/native/common/jk_ajp_common.h
    tomcat/jk/trunk/native/common/jk_service.h
    tomcat/jk/trunk/xdocs/miscellaneous/changelog.xml
    tomcat/jk/trunk/xdocs/reference/apache.xml

Modified: tomcat/jk/trunk/native/apache-1.3/mod_jk.c
URL: 
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/apache-1.3/mod_jk.c?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/native/apache-1.3/mod_jk.c (original)
+++ tomcat/jk/trunk/native/apache-1.3/mod_jk.c Tue Feb 17 21:35:17 2015
@@ -75,6 +75,7 @@
 #define JK_ENV_LOCAL_PORT           ("JK_LOCAL_PORT")
 #define JK_ENV_IGNORE_CL            ("JK_IGNORE_CL")
 #define JK_ENV_HTTPS                ("HTTPS")
+#define JK_ENV_SSL_PROTOCOL         ("SSL_PROTOCOL")
 #define JK_ENV_CERTS                ("SSL_CLIENT_CERT")
 #define JK_ENV_CIPHER               ("SSL_CIPHER")
 #define JK_ENV_SESSION              ("SSL_SESSION_ID")
@@ -198,6 +199,7 @@ typedef struct
      */
     int ssl_enable;
     char *https_indicator;
+    char *ssl_protocol_indicator;
     char *certs_indicator;
     char *cipher_indicator;
     char *session_indicator;
@@ -1018,6 +1020,9 @@ static int init_ws_service(apache_privat
                                s->ssl_cert_len, s->ssl_cert);
                     }
                 }
+                s->ssl_protocol =
+                    (char *)ap_table_get(r->subprocess_env,
+                                         conf->ssl_protocol_indicator);
                 /* Servlet 2.3 API */
                 s->ssl_cipher =
                     (char *)ap_table_get(r->subprocess_env,
@@ -2068,6 +2073,25 @@ static const char *jk_set_https_indicato
 }
 
 /*
+ * JkSSLPROTOCOLIndicator Directive Handling
+ *
+ * JkSSLPROTOCOLIndicator SSL_PROTOCOL
+ */
+
+static const char *jk_set_ssl_protocol_indicator(cmd_parms * cmd,
+                                                 void *dummy, char *indicator)
+{
+    server_rec *s = cmd->server;
+    jk_server_conf_t *conf =
+        (jk_server_conf_t *) ap_get_module_config(s->module_config,
+                                                  &jk_module);
+
+    conf->ssl_protocol_indicator = ap_pstrdup(cmd->pool, indicator);
+
+    return NULL;
+}
+
+/*
  * JkCERTSIndicator Directive Handling
  *
  * JkCERTSIndicator SSL_CLIENT_CERT
@@ -2466,6 +2490,8 @@ static const command_rec jk_cmds[] = {
      */
     {"JkHTTPSIndicator", jk_set_https_indicator, NULL, RSRC_CONF, TAKE1,
      "Name of the Apache environment that contains SSL indication"},
+    {"JkSSLPROTOCOLIndicator", jk_set_ssl_protocol_indicator, NULL, RSRC_CONF, 
TAKE1,
+     "Name of the Apache environment that contains the SSL protocol name"},
     {"JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF, TAKE1,
      "Name of the Apache environment that contains SSL client certificates"},
     {"JkCIPHERIndicator", jk_set_cipher_indicator, NULL, RSRC_CONF, TAKE1,
@@ -2822,6 +2848,7 @@ static void *create_jk_config(ap_pool *
          * to be in more use).
          */
         c->https_indicator = JK_ENV_HTTPS;
+        c->ssl_protocol_indicator = JK_ENV_SSL_PROTOCOL;
         c->certs_indicator = JK_ENV_CERTS;
         c->cipher_indicator = JK_ENV_CIPHER;
         c->certchain_prefix = JK_ENV_CERTCHAIN_PREFIX;
@@ -2898,6 +2925,8 @@ static void *merge_jk_config(ap_pool * p
         overrides->ssl_enable = base->ssl_enable;
     if (!overrides->https_indicator)
         overrides->https_indicator = base->https_indicator;
+    if (!overrides->ssl_protocol_indicator)
+        overrides->ssl_protocol_indicator = base->ssl_protocol_indicator;
     if (!overrides->certs_indicator)
         overrides->certs_indicator = base->certs_indicator;
     if (!overrides->cipher_indicator)

Modified: tomcat/jk/trunk/native/apache-2.0/mod_jk.c
URL: 
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/apache-2.0/mod_jk.c?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/native/apache-2.0/mod_jk.c (original)
+++ tomcat/jk/trunk/native/apache-2.0/mod_jk.c Tue Feb 17 21:35:17 2015
@@ -110,6 +110,7 @@
 #define JK_ENV_LOCAL_PORT           ("JK_LOCAL_PORT")
 #define JK_ENV_IGNORE_CL            ("JK_IGNORE_CL")
 #define JK_ENV_HTTPS                ("HTTPS")
+#define JK_ENV_SSL_PROTOCOL         ("SSL_PROTOCOL")
 #define JK_ENV_CERTS                ("SSL_CLIENT_CERT")
 #define JK_ENV_CIPHER               ("SSL_CIPHER")
 #define JK_ENV_SESSION              ("SSL_SESSION_ID")
@@ -228,6 +229,7 @@ typedef struct
      */
     int ssl_enable;
     char *https_indicator;
+    char *ssl_protocol_indicator;
     char *certs_indicator;
     char *cipher_indicator;
     char *session_indicator;    /* Servlet API 2.3 requirement */
@@ -1077,6 +1079,9 @@ static int init_ws_service(apache_privat
                                s->ssl_cert_len, s->ssl_cert);
                     }
                 }
+                s->ssl_protocol =
+                    (char *)apr_table_get(r->subprocess_env,
+                                          conf->ssl_protocol_indicator);
                 /* Servlet 2.3 API */
                 s->ssl_cipher =
                     (char *)apr_table_get(r->subprocess_env,
@@ -2158,6 +2163,25 @@ static const char *jk_set_https_indicato
 }
 
 /*
+ * JkSSLPROTOCOLIndicator Directive Handling
+ *
+ * JkSSLPROTOCOLIndicator SSL_PROTOCOL
+ */
+
+static const char *jk_set_ssl_protocol_indicator(cmd_parms * cmd,
+                                                 void *dummy, const char 
*indicator)
+{
+    server_rec *s = cmd->server;
+    jk_server_conf_t *conf =
+        (jk_server_conf_t *) ap_get_module_config(s->module_config,
+                                                  &jk_module);
+
+    conf->ssl_protocol_indicator = apr_pstrdup(cmd->pool, indicator);
+
+    return NULL;
+}
+
+/*
  * JkCERTSIndicator Directive Handling
  *
  * JkCERTSIndicator SSL_CLIENT_CERT
@@ -2588,6 +2612,8 @@ static const command_rec jk_cmds[] = {
      */
     AP_INIT_TAKE1("JkHTTPSIndicator", jk_set_https_indicator, NULL, RSRC_CONF,
                   "Name of the Apache environment that contains SSL 
indication"),
+    AP_INIT_TAKE1("JkSSLPROTOCOLIndicator", jk_set_ssl_protocol_indicator, 
NULL, RSRC_CONF,
+                  "Name of the Apache environment that contains the SSL 
protocol name"),
     AP_INIT_TAKE1("JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF,
                   "Name of the Apache environment that contains SSL client 
certificates"),
     AP_INIT_TAKE1("JkCIPHERIndicator", jk_set_cipher_indicator, NULL,
@@ -3075,6 +3101,7 @@ static void *create_jk_config(apr_pool_t
          * to be in more use).
          */
         c->https_indicator = JK_ENV_HTTPS;
+        c->ssl_protocol_indicator = JK_ENV_SSL_PROTOCOL;
         c->certs_indicator = JK_ENV_CERTS;
         c->cipher_indicator = JK_ENV_CIPHER;
         c->certchain_prefix = JK_ENV_CERTCHAIN_PREFIX;
@@ -3154,6 +3181,8 @@ static void *merge_jk_config(apr_pool_t
         overrides->ssl_enable = base->ssl_enable;
     if (!overrides->https_indicator)
         overrides->https_indicator = base->https_indicator;
+    if (!overrides->ssl_protocol_indicator)
+        overrides->ssl_protocol_indicator = base->ssl_protocol_indicator;
     if (!overrides->certs_indicator)
         overrides->certs_indicator = base->certs_indicator;
     if (!overrides->cipher_indicator)

Modified: tomcat/jk/trunk/native/common/jk_ajp_common.c
URL: 
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_ajp_common.c?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/native/common/jk_ajp_common.c (original)
+++ tomcat/jk/trunk/native/common/jk_ajp_common.c Tue Feb 17 21:35:17 2015
@@ -591,6 +591,21 @@ static int ajp_marshal_into_msgb(jk_msg_
         }
     }
 
+    /* Forward the SSL protocol name.
+     * Modern Tomcat versions know how to retrieve
+     * the protocol name from this attribute.
+     */
+    if (s->ssl_protocol && *s->ssl_protocol) {
+        if (jk_b_append_byte(msg, SC_A_REQ_ATTRIBUTE) ||
+            jk_b_append_string(msg, SC_A_SSL_PROTOCOL) ||
+            jk_b_append_string(msg, s->ssl_protocol)) {
+            jk_log(l, JK_LOG_ERROR,
+                   "(%s) failed appending the ssl protocol name %s",
+                   ae->worker->name, s->ssl_protocol);
+            JK_TRACE_EXIT(l);
+            return JK_FALSE;
+        }
+    }
     /* Forward the remote port information, which was forgotten
      * from the builtin data of the AJP 13 protocol.
      * Since the servlet spec allows to retrieve it via getRemotePort(),

Modified: tomcat/jk/trunk/native/common/jk_ajp_common.h
URL: 
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_ajp_common.h?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/native/common/jk_ajp_common.h (original)
+++ tomcat/jk/trunk/native/common/jk_ajp_common.h Tue Feb 17 21:35:17 2015
@@ -75,6 +75,11 @@ extern "C"
  */
 /*
  * The following request attribute is recognized by Tomcat
+ * to contain the name of the ssl protocol used
+ */
+#define SC_A_SSL_PROTOCOL       ("AJP_SSL_PROTOCOL")
+/*
+ * The following request attribute is recognized by Tomcat
  * to contain the forwarded remote port.
  */
 #define SC_A_REQ_REMOTE_PORT    ("AJP_REMOTE_PORT")

Modified: tomcat/jk/trunk/native/common/jk_service.h
URL: 
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_service.h?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/native/common/jk_service.h (original)
+++ tomcat/jk/trunk/native/common/jk_service.h Tue Feb 17 21:35:17 2015
@@ -181,6 +181,7 @@ struct jk_ws_service
      * SSL information
      *
      * is_ssl       - True if request is in ssl connection
+     * ssl_protocol-  Name of the SSL protocol (SSLv3, TLSv1, TLSv1.1, TLSv1.2)
      * ssl_cert     - If available, base64 ASN.1 encoded client certificates.
      * ssl_cert_len - Length of ssl_cert, 0 if certificates are not available.
      * ssl_cipher   - The ssl cipher suite in use.
@@ -190,6 +191,7 @@ struct jk_ws_service
      * case, we are passing NULL.
      */
     int is_ssl;
+    char *ssl_protocol;
     char *ssl_cert;
     unsigned ssl_cert_len;
     char *ssl_cipher;

Modified: tomcat/jk/trunk/xdocs/miscellaneous/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/jk/trunk/xdocs/miscellaneous/changelog.xml?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/jk/trunk/xdocs/miscellaneous/changelog.xml Tue Feb 17 21:35:17 2015
@@ -215,6 +215,10 @@
         This should only be used on multi-homed hosts. The feature is
         experimental. (rjung)
       </add>
+      <add>
+        <bug>57540</bug>: AJP: Forward name of SSL protocol used for handling
+        the request (SSLv3, TLSv1, TLSv1.1, TLSv1.2). (rjung)
+      </add>
     </changelog>
   </subsection>
 </section>

Modified: tomcat/jk/trunk/xdocs/reference/apache.xml
URL: 
http://svn.apache.org/viewvc/tomcat/jk/trunk/xdocs/reference/apache.xml?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/xdocs/reference/apache.xml (original)
+++ tomcat/jk/trunk/xdocs/reference/apache.xml Tue Feb 17 21:35:17 2015
@@ -323,6 +323,14 @@ to add <code>SSLOptions +ExportCertData<
   </tr>
 </table>
 <p>
+  In addition mod_jk sends the name of the SSL protocol used as a proprietary
+  request attribute named <code>AJP_SSL_PROTOCOL</code>. Modern Tomcat
+  versions will expose this attribute under the name
+  <code>org.apache.tomcat.util.net.secure_protocol_version</code>.
+  This feature has been added in version 1.2.41 of mod_jk. See also
+  JkSSLPROTOCOLIndicator.
+</p>
+<p>
   For all other SSL-related variables, use <code>JkEnvVar</code> for each
   variable you want. Please note that, like <code>JkEnvVar</code>, these
   variables are available from the request <i><b>attributes</b></i>, not as
@@ -334,6 +342,13 @@ Name of the Apache environment variable
 <br/>
 The default value is "HTTPS".
 </p></attribute>
+<attribute name="JkSSLPROTOCOLIndicator" required="false"><p>
+Name of the Apache environment variable that contains the SSL protocol name.
+<br/>
+The default value is "SSL_PROTOCOL".
+<br/>
+This directive has been added in version 1.2.41 of mod_jk.
+</p></attribute>
 <attribute name="JkCERTSIndicator" required="false"><p>
 Name of the Apache environment variable that contains SSL client certificates.
 <br/>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to