Author: schultz
Date: Fri Feb 27 01:37:19 2015
New Revision: 1662614
URL: http://svn.apache.org/r1662614
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=55988
Respect TLS server cipher ordering in JSSE-based connectors.
Patch provided by Ognjen Blagojevic.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1662614&r1=1662613&r2=1662614&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Fri Feb
27 01:37:19 2015
@@ -31,6 +31,8 @@ import java.util.concurrent.Executor;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
import org.apache.juli.logging.Log;
import org.apache.tomcat.util.IntrospectionUtils;
@@ -964,6 +966,10 @@ public abstract class AbstractEndpoint<S
*/
public abstract String[] getCiphersUsed();
+ private String useServerCipherSuitesOrder = "false";
+ public String getUseServerCipherSuitesOrder() { return
useServerCipherSuitesOrder;}
+ public void setUseServerCipherSuitesOrder(String s) {
this.useServerCipherSuitesOrder = s;}
+
private String keyAlias = null;
public String getKeyAlias() { return keyAlias;}
public void setKeyAlias(String s ) { keyAlias = s;}
@@ -1065,6 +1071,22 @@ public abstract class AbstractEndpoint<S
protected final Set<SocketWrapperBase<S>> waitingRequests = Collections
.newSetFromMap(new ConcurrentHashMap<SocketWrapperBase<S>,
Boolean>());
+ /**
+ * Configures SSLEngine to honor cipher suites ordering based upon
+ * endpoint configuration.
+ */
+ protected void configureUseServerCipherSuitesOrder(SSLEngine engine) {
+ String useServerCipherSuitesOrderStr = this
+ .getUseServerCipherSuitesOrder().trim();
+
+ SSLParameters sslParameters = engine.getSSLParameters();
+ boolean useServerCipherSuitesOrder =
+ ("true".equalsIgnoreCase(useServerCipherSuitesOrderStr)
+ || "yes".equalsIgnoreCase(useServerCipherSuitesOrderStr));
+
+ sslParameters.setUseCipherSuitesOrder(useServerCipherSuitesOrder);
+ engine.setSSLParameters(sslParameters);
+ }
/**
* The async timeout thread.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java?rev=1662614&r1=1662613&r2=1662614&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java Fri Feb 27
01:37:19 2015
@@ -545,6 +545,8 @@ public class Nio2Endpoint extends Abstra
engine.setEnabledCipherSuites(enabledCiphers);
engine.setEnabledProtocols(enabledProtocols);
+ configureUseServerCipherSuitesOrder(engine);
+
return engine;
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1662614&r1=1662613&r2=1662614&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Fri Feb 27
01:37:19 2015
@@ -574,6 +574,8 @@ public class NioEndpoint extends Abstrac
engine.setEnabledCipherSuites(enabledCiphers);
engine.setEnabledProtocols(enabledProtocols);
+ configureUseServerCipherSuitesOrder(engine);
+
return engine;
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1662614&r1=1662613&r2=1662614&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Feb 27 01:37:19 2015
@@ -69,6 +69,10 @@
Refactor HTTP upgrade and AJP implementations to reduce duplication.
(markt)
</scode>
+ <fix>
+ <bug>55988</bug>: Add support for Java 8 JSSE server-preferred TLS
+ cipher suite ordering. Patch provided by Ognjen Blagojevic. (schultz)
+ </fix>
</changelog>
</subsection>
<subsection name="Tribes">
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1662614&r1=1662613&r2=1662614&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Fri Feb 27 01:37:19 2015
@@ -1032,6 +1032,15 @@
</p>
</attribute>
+ <attribute name="useServerCipherSuitesOrder" required="false">
+ <p>
+ Set to <code>true</code> to enforce the server's cipher order
+ (from the <code>ciphers</code> setting). Set to <code>false</code>
+ to choose the first acceptable cipher suite presented by the client.
+ Default is <code>false</code>.
+ </p>
+ </attribute>
+
<attribute name="ciphers" required="false">
<p>If specified and using ',' as a separator, only the ciphers that are
listed and supported by the SSL implementation will be used.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
