Author: rjung
Date: Tue Feb 17 21:35:17 2015
New Revision: 1660504
URL: http://svn.apache.org/r1660504
Log:
AJP: Forward name of SSL protocol used for handling
the request (SSLv3, TLSv1, TLSv1.1, TLSv1.2).
This is related to Tomcat BZ 57540.
Modified:
tomcat/jk/trunk/native/apache-1.3/mod_jk.c
tomcat/jk/trunk/native/apache-2.0/mod_jk.c
tomcat/jk/trunk/native/common/jk_ajp_common.c
tomcat/jk/trunk/native/common/jk_ajp_common.h
tomcat/jk/trunk/native/common/jk_service.h
tomcat/jk/trunk/xdocs/miscellaneous/changelog.xml
tomcat/jk/trunk/xdocs/reference/apache.xml
Modified: tomcat/jk/trunk/native/apache-1.3/mod_jk.c
URL:
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/apache-1.3/mod_jk.c?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/native/apache-1.3/mod_jk.c (original)
+++ tomcat/jk/trunk/native/apache-1.3/mod_jk.c Tue Feb 17 21:35:17 2015
@@ -75,6 +75,7 @@
#define JK_ENV_LOCAL_PORT ("JK_LOCAL_PORT")
#define JK_ENV_IGNORE_CL ("JK_IGNORE_CL")
#define JK_ENV_HTTPS ("HTTPS")
+#define JK_ENV_SSL_PROTOCOL ("SSL_PROTOCOL")
#define JK_ENV_CERTS ("SSL_CLIENT_CERT")
#define JK_ENV_CIPHER ("SSL_CIPHER")
#define JK_ENV_SESSION ("SSL_SESSION_ID")
@@ -198,6 +199,7 @@ typedef struct
*/
int ssl_enable;
char *https_indicator;
+ char *ssl_protocol_indicator;
char *certs_indicator;
char *cipher_indicator;
char *session_indicator;
@@ -1018,6 +1020,9 @@ static int init_ws_service(apache_privat
s->ssl_cert_len, s->ssl_cert);
}
}
+ s->ssl_protocol =
+ (char *)ap_table_get(r->subprocess_env,
+ conf->ssl_protocol_indicator);
/* Servlet 2.3 API */
s->ssl_cipher =
(char *)ap_table_get(r->subprocess_env,
@@ -2068,6 +2073,25 @@ static const char *jk_set_https_indicato
}
/*
+ * JkSSLPROTOCOLIndicator Directive Handling
+ *
+ * JkSSLPROTOCOLIndicator SSL_PROTOCOL
+ */
+
+static const char *jk_set_ssl_protocol_indicator(cmd_parms * cmd,
+ void *dummy, char *indicator)
+{
+ server_rec *s = cmd->server;
+ jk_server_conf_t *conf =
+ (jk_server_conf_t *) ap_get_module_config(s->module_config,
+ &jk_module);
+
+ conf->ssl_protocol_indicator = ap_pstrdup(cmd->pool, indicator);
+
+ return NULL;
+}
+
+/*
* JkCERTSIndicator Directive Handling
*
* JkCERTSIndicator SSL_CLIENT_CERT
@@ -2466,6 +2490,8 @@ static const command_rec jk_cmds[] = {
*/
{"JkHTTPSIndicator", jk_set_https_indicator, NULL, RSRC_CONF, TAKE1,
"Name of the Apache environment that contains SSL indication"},
+ {"JkSSLPROTOCOLIndicator", jk_set_ssl_protocol_indicator, NULL, RSRC_CONF,
TAKE1,
+ "Name of the Apache environment that contains the SSL protocol name"},
{"JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF, TAKE1,
"Name of the Apache environment that contains SSL client certificates"},
{"JkCIPHERIndicator", jk_set_cipher_indicator, NULL, RSRC_CONF, TAKE1,
@@ -2822,6 +2848,7 @@ static void *create_jk_config(ap_pool *
* to be in more use).
*/
c->https_indicator = JK_ENV_HTTPS;
+ c->ssl_protocol_indicator = JK_ENV_SSL_PROTOCOL;
c->certs_indicator = JK_ENV_CERTS;
c->cipher_indicator = JK_ENV_CIPHER;
c->certchain_prefix = JK_ENV_CERTCHAIN_PREFIX;
@@ -2898,6 +2925,8 @@ static void *merge_jk_config(ap_pool * p
overrides->ssl_enable = base->ssl_enable;
if (!overrides->https_indicator)
overrides->https_indicator = base->https_indicator;
+ if (!overrides->ssl_protocol_indicator)
+ overrides->ssl_protocol_indicator = base->ssl_protocol_indicator;
if (!overrides->certs_indicator)
overrides->certs_indicator = base->certs_indicator;
if (!overrides->cipher_indicator)
Modified: tomcat/jk/trunk/native/apache-2.0/mod_jk.c
URL:
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/apache-2.0/mod_jk.c?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/native/apache-2.0/mod_jk.c (original)
+++ tomcat/jk/trunk/native/apache-2.0/mod_jk.c Tue Feb 17 21:35:17 2015
@@ -110,6 +110,7 @@
#define JK_ENV_LOCAL_PORT ("JK_LOCAL_PORT")
#define JK_ENV_IGNORE_CL ("JK_IGNORE_CL")
#define JK_ENV_HTTPS ("HTTPS")
+#define JK_ENV_SSL_PROTOCOL ("SSL_PROTOCOL")
#define JK_ENV_CERTS ("SSL_CLIENT_CERT")
#define JK_ENV_CIPHER ("SSL_CIPHER")
#define JK_ENV_SESSION ("SSL_SESSION_ID")
@@ -228,6 +229,7 @@ typedef struct
*/
int ssl_enable;
char *https_indicator;
+ char *ssl_protocol_indicator;
char *certs_indicator;
char *cipher_indicator;
char *session_indicator; /* Servlet API 2.3 requirement */
@@ -1077,6 +1079,9 @@ static int init_ws_service(apache_privat
s->ssl_cert_len, s->ssl_cert);
}
}
+ s->ssl_protocol =
+ (char *)apr_table_get(r->subprocess_env,
+ conf->ssl_protocol_indicator);
/* Servlet 2.3 API */
s->ssl_cipher =
(char *)apr_table_get(r->subprocess_env,
@@ -2158,6 +2163,25 @@ static const char *jk_set_https_indicato
}
/*
+ * JkSSLPROTOCOLIndicator Directive Handling
+ *
+ * JkSSLPROTOCOLIndicator SSL_PROTOCOL
+ */
+
+static const char *jk_set_ssl_protocol_indicator(cmd_parms * cmd,
+ void *dummy, const char
*indicator)
+{
+ server_rec *s = cmd->server;
+ jk_server_conf_t *conf =
+ (jk_server_conf_t *) ap_get_module_config(s->module_config,
+ &jk_module);
+
+ conf->ssl_protocol_indicator = apr_pstrdup(cmd->pool, indicator);
+
+ return NULL;
+}
+
+/*
* JkCERTSIndicator Directive Handling
*
* JkCERTSIndicator SSL_CLIENT_CERT
@@ -2588,6 +2612,8 @@ static const command_rec jk_cmds[] = {
*/
AP_INIT_TAKE1("JkHTTPSIndicator", jk_set_https_indicator, NULL, RSRC_CONF,
"Name of the Apache environment that contains SSL
indication"),
+ AP_INIT_TAKE1("JkSSLPROTOCOLIndicator", jk_set_ssl_protocol_indicator,
NULL, RSRC_CONF,
+ "Name of the Apache environment that contains the SSL
protocol name"),
AP_INIT_TAKE1("JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF,
"Name of the Apache environment that contains SSL client
certificates"),
AP_INIT_TAKE1("JkCIPHERIndicator", jk_set_cipher_indicator, NULL,
@@ -3075,6 +3101,7 @@ static void *create_jk_config(apr_pool_t
* to be in more use).
*/
c->https_indicator = JK_ENV_HTTPS;
+ c->ssl_protocol_indicator = JK_ENV_SSL_PROTOCOL;
c->certs_indicator = JK_ENV_CERTS;
c->cipher_indicator = JK_ENV_CIPHER;
c->certchain_prefix = JK_ENV_CERTCHAIN_PREFIX;
@@ -3154,6 +3181,8 @@ static void *merge_jk_config(apr_pool_t
overrides->ssl_enable = base->ssl_enable;
if (!overrides->https_indicator)
overrides->https_indicator = base->https_indicator;
+ if (!overrides->ssl_protocol_indicator)
+ overrides->ssl_protocol_indicator = base->ssl_protocol_indicator;
if (!overrides->certs_indicator)
overrides->certs_indicator = base->certs_indicator;
if (!overrides->cipher_indicator)
Modified: tomcat/jk/trunk/native/common/jk_ajp_common.c
URL:
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_ajp_common.c?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/native/common/jk_ajp_common.c (original)
+++ tomcat/jk/trunk/native/common/jk_ajp_common.c Tue Feb 17 21:35:17 2015
@@ -591,6 +591,21 @@ static int ajp_marshal_into_msgb(jk_msg_
}
}
+ /* Forward the SSL protocol name.
+ * Modern Tomcat versions know how to retrieve
+ * the protocol name from this attribute.
+ */
+ if (s->ssl_protocol && *s->ssl_protocol) {
+ if (jk_b_append_byte(msg, SC_A_REQ_ATTRIBUTE) ||
+ jk_b_append_string(msg, SC_A_SSL_PROTOCOL) ||
+ jk_b_append_string(msg, s->ssl_protocol)) {
+ jk_log(l, JK_LOG_ERROR,
+ "(%s) failed appending the ssl protocol name %s",
+ ae->worker->name, s->ssl_protocol);
+ JK_TRACE_EXIT(l);
+ return JK_FALSE;
+ }
+ }
/* Forward the remote port information, which was forgotten
* from the builtin data of the AJP 13 protocol.
* Since the servlet spec allows to retrieve it via getRemotePort(),
Modified: tomcat/jk/trunk/native/common/jk_ajp_common.h
URL:
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_ajp_common.h?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/native/common/jk_ajp_common.h (original)
+++ tomcat/jk/trunk/native/common/jk_ajp_common.h Tue Feb 17 21:35:17 2015
@@ -75,6 +75,11 @@ extern "C"
*/
/*
* The following request attribute is recognized by Tomcat
+ * to contain the name of the ssl protocol used
+ */
+#define SC_A_SSL_PROTOCOL ("AJP_SSL_PROTOCOL")
+/*
+ * The following request attribute is recognized by Tomcat
* to contain the forwarded remote port.
*/
#define SC_A_REQ_REMOTE_PORT ("AJP_REMOTE_PORT")
Modified: tomcat/jk/trunk/native/common/jk_service.h
URL:
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_service.h?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/native/common/jk_service.h (original)
+++ tomcat/jk/trunk/native/common/jk_service.h Tue Feb 17 21:35:17 2015
@@ -181,6 +181,7 @@ struct jk_ws_service
* SSL information
*
* is_ssl - True if request is in ssl connection
+ * ssl_protocol- Name of the SSL protocol (SSLv3, TLSv1, TLSv1.1, TLSv1.2)
* ssl_cert - If available, base64 ASN.1 encoded client certificates.
* ssl_cert_len - Length of ssl_cert, 0 if certificates are not available.
* ssl_cipher - The ssl cipher suite in use.
@@ -190,6 +191,7 @@ struct jk_ws_service
* case, we are passing NULL.
*/
int is_ssl;
+ char *ssl_protocol;
char *ssl_cert;
unsigned ssl_cert_len;
char *ssl_cipher;
Modified: tomcat/jk/trunk/xdocs/miscellaneous/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/jk/trunk/xdocs/miscellaneous/changelog.xml?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/jk/trunk/xdocs/miscellaneous/changelog.xml Tue Feb 17 21:35:17 2015
@@ -215,6 +215,10 @@
This should only be used on multi-homed hosts. The feature is
experimental. (rjung)
</add>
+ <add>
+ <bug>57540</bug>: AJP: Forward name of SSL protocol used for handling
+ the request (SSLv3, TLSv1, TLSv1.1, TLSv1.2). (rjung)
+ </add>
</changelog>
</subsection>
</section>
Modified: tomcat/jk/trunk/xdocs/reference/apache.xml
URL:
http://svn.apache.org/viewvc/tomcat/jk/trunk/xdocs/reference/apache.xml?rev=1660504&r1=1660503&r2=1660504&view=diff
==============================================================================
--- tomcat/jk/trunk/xdocs/reference/apache.xml (original)
+++ tomcat/jk/trunk/xdocs/reference/apache.xml Tue Feb 17 21:35:17 2015
@@ -323,6 +323,14 @@ to add <code>SSLOptions +ExportCertData<
</tr>
</table>
<p>
+ In addition mod_jk sends the name of the SSL protocol used as a proprietary
+ request attribute named <code>AJP_SSL_PROTOCOL</code>. Modern Tomcat
+ versions will expose this attribute under the name
+ <code>org.apache.tomcat.util.net.secure_protocol_version</code>.
+ This feature has been added in version 1.2.41 of mod_jk. See also
+ JkSSLPROTOCOLIndicator.
+</p>
+<p>
For all other SSL-related variables, use <code>JkEnvVar</code> for each
variable you want. Please note that, like <code>JkEnvVar</code>, these
variables are available from the request <i><b>attributes</b></i>, not as
@@ -334,6 +342,13 @@ Name of the Apache environment variable
<br/>
The default value is "HTTPS".
</p></attribute>
+<attribute name="JkSSLPROTOCOLIndicator" required="false"><p>
+Name of the Apache environment variable that contains the SSL protocol name.
+<br/>
+The default value is "SSL_PROTOCOL".
+<br/>
+This directive has been added in version 1.2.41 of mod_jk.
+</p></attribute>
<attribute name="JkCERTSIndicator" required="false"><p>
Name of the Apache environment variable that contains SSL client certificates.
<br/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
