Author: markt
Date: Mon Apr 13 13:53:59 2015
New Revision: 1673194
URL: http://svn.apache.org/r1673194
Log:
Remove a BIO specific option
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/webapps/docs/config/http.xml
tomcat/trunk/webapps/docs/security-howto.xml
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1673194&r1=1673193&r2=1673194&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
Mon Apr 13 13:53:59 2015
@@ -99,13 +99,6 @@ public abstract class AbstractHttp11Jsse
public void setSessionTimeout(String
s){getEndpoint().setSessionTimeout(s);}
public String getSessionTimeout(){ return
getEndpoint().getSessionTimeout();}
- public void setAllowUnsafeLegacyRenegotiation(String s) {
- getEndpoint().setAllowUnsafeLegacyRenegotiation(s);
- }
- public String getAllowUnsafeLegacyRenegotiation() {
- return getEndpoint().getAllowUnsafeLegacyRenegotiation();
- }
-
public String getSslImplementationName() { return
getEndpoint().getSslImplementationName(); }
public void setSslImplementationName(String s) {
getEndpoint().setSslImplementationName(s); }
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1673194&r1=1673193&r2=1673194&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Mon Apr
13 13:53:59 2015
@@ -1038,14 +1038,6 @@ public abstract class AbstractEndpoint<S
public String getSessionTimeout() { return sessionTimeout;}
public void setSessionTimeout(String s) { sessionTimeout = s;}
- private String allowUnsafeLegacyRenegotiation = null;
- public String getAllowUnsafeLegacyRenegotiation() {
- return allowUnsafeLegacyRenegotiation;
- }
- public void setAllowUnsafeLegacyRenegotiation(String s) {
- allowUnsafeLegacyRenegotiation = s;
- }
-
private String[] sslEnabledProtocolsarr = new String[0];
public String[] getSslEnabledProtocolsArray() {
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1673194&r1=1673193&r2=1673194&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Mon Apr 13 13:53:59 2015
@@ -1025,19 +1025,6 @@
documentation for the default value.</p>
</attribute>
- <attribute name="allowUnsafeLegacyRenegotiation" required="false">
- <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
- users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
- protocol that allows an attacker to inject arbitrary data into the user's
- request. If not specified, a default of <code>false</code> is used. This
- attribute only has an effect if the JVM does not support RFC 5746 as
- indicated by the presence of the pseudo-ciphersuite
- TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22
- onwards. Where RFC 5746 is supported the renegotiation - including
support
- for unsafe legacy renegotiation - is controlled by the JVM configuration.
- </p>
- </attribute>
-
<attribute name="useServerCipherSuitesOrder" required="false">
<p>
Set to <code>true</code> to enforce the server's cipher order
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1673194&r1=1673193&r2=1673194&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Mon Apr 13 13:53:59 2015
@@ -294,15 +294,6 @@
proxy (the authenticated user name is passed to Tomcat as part of the AJP
protocol) with the option for Tomcat to still perform authorization.</p>
- <p>The <strong>allowUnsafeLegacyRenegotiation</strong> attribute provides
- a workaround for
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555";>
- CVE-2009-3555</a>, a TLS man in the middle attack. This workaround
applies
- to the BIO connector. It is only necessary if the underlying SSL
- implementation is vulnerable to CVE-2009-3555. For more information on
the
- current state of this vulnerability and the work-arounds available see
the
- <security>Tomcat <version-major/> security page</security>.</p>
-
<p>The <strong>requiredSecret</strong> attribute in AJP connectors
configures shared secret between Tomcat and reverse proxy in front of
Tomcat. It is used to prevent unauthorized connections over AJP
protocol.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
