Author: markt
Date: Fri May 1 10:33:43 2015
New Revision: 1677107
URL: http://svn.apache.org/r1677107
Log:
Move useServerCipherSuitesOrder/SSLHonorCipherOrder to SSLHostConfig
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1677107&r1=1677106&r2=1677107&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Fri
May 1 10:33:43 2015
@@ -382,21 +382,25 @@ public abstract class AbstractHttp11Prot
defaultSSLHostConfig.setCertificateKeyFile(certificateKeyFile);
}
+
public void setAlgorithm(String keyManagerAlgorithm) {
registerDefaultSSLHostConfig();
defaultSSLHostConfig.setKeyManagerAlgorithm(keyManagerAlgorithm);
}
+
public void setClientAuth(String certificateVerification) {
registerDefaultSSLHostConfig();
defaultSSLHostConfig.setCertificateVerification(certificateVerification);
}
+
public void setSSLVerifyClient(String certificateVerification) {
registerDefaultSSLHostConfig();
defaultSSLHostConfig.setCertificateVerification(certificateVerification);
}
+
public void setTrustMaxCertLength(int certificateVerificationDepth){
registerDefaultSSLHostConfig();
defaultSSLHostConfig.setCertificateVerificationDepth(certificateVerificationDepth);
@@ -407,6 +411,16 @@ public abstract class AbstractHttp11Prot
}
+ public void setUseServerCipherSuitesOrder(boolean honorCipherOrder) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setHonorCipherOrder(honorCipherOrder);
+ }
+ public void setSSLHonorCipherOrder(boolean honorCipherOrder) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setHonorCipherOrder(honorCipherOrder);
+ }
+
+
// ------------------------------------------------------------- Common
code
// Common configuration required for all new HTTP11 processors
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1677107&r1=1677106&r2=1677107&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Fri May
1 10:33:43 2015
@@ -86,16 +86,6 @@ public class Http11AprProtocol extends A
public String getSSLCipherSuite() { return
((AprEndpoint)getEndpoint()).getSSLCipherSuite(); }
public void setSSLCipherSuite(String SSLCipherSuite) {
((AprEndpoint)getEndpoint()).setSSLCipherSuite(SSLCipherSuite); }
- /**
- * SSL honor cipher order.
- *
- * Set to <code>true</code> to enforce the <i>server's</i> cipher order
- * instead of the default which is to allow the client to choose a
- * preferred cipher.
- */
- public boolean getSSLHonorCipherOrder() { return
((AprEndpoint)getEndpoint()).getSSLHonorCipherOrder(); }
- public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) {
((AprEndpoint)getEndpoint()).setSSLHonorCipherOrder(SSLHonorCipherOrder); }
-
/**
* SSL certificate chain file.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1677107&r1=1677106&r2=1677107&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Fri
May 1 10:33:43 2015
@@ -98,11 +98,9 @@ public abstract class AbstractJsseEndpoi
engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());
- // Force server cipher suite order to be honored
SSLParameters sslParameters = engine.getSSLParameters();
- sslParameters.setUseCipherSuitesOrder(true);
- // Following line may not be required. Depends if JRE takes a defensive
- // copy. Keep the line to avoid any possible issues.
+
sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
+ // In case the getter returns a defensive copy
engine.setSSLParameters(sslParameters);
return engine;
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1677107&r1=1677106&r2=1677107&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri May 1
10:33:43 2015
@@ -279,19 +279,6 @@ public class AprEndpoint extends Abstrac
public void setSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation)
{ this.SSLInsecureRenegotiation = SSLInsecureRenegotiation; }
public boolean getSSLInsecureRenegotiation() { return
SSLInsecureRenegotiation; }
- protected boolean SSLHonorCipherOrder = false;
- /**
- * Configures whether or not this endpoint enforces the server's preference
- * order ciphers.
- *
- * @param SSLHonorCipherOrder Set to <code>true</code> to enforce the
- * server's cipher order instead of the
default
- * which is to allow the client to choose a
- * preferred cipher.
- */
- public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) {
this.SSLHonorCipherOrder = SSLHonorCipherOrder; }
- public boolean getSSLHonorCipherOrder() { return SSLHonorCipherOrder; }
-
/**
* Disables compression of the SSL stream. This thwarts CRIME attack
* and possibly improves performance by not compressing uncompressible
@@ -532,7 +519,7 @@ public class AprEndpoint extends Abstrac
}
// Set cipher order: client (default) or server
- if (SSLHonorCipherOrder) {
+ if (sslHostConfig.getHonorCipherOrder()) {
boolean orderCiphersSupported = false;
try {
orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1677107&r1=1677106&r2=1677107&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Fri May 1
10:33:43 2015
@@ -46,6 +46,7 @@ public class SSLHostConfig {
// Common
private CertificateVerification certificateVerification =
CertificateVerification.NONE;
private int certificateVerificationDepth = 10;
+ private boolean honorCipherOrder = false;
private Set<String> protocols = new HashSet<>();
// JSSE
@@ -122,6 +123,16 @@ public class SSLHostConfig {
}
+ public void setHonorCipherOrder(boolean honorCipherOrder) {
+ this.honorCipherOrder = honorCipherOrder;
+ }
+
+
+ public boolean getHonorCipherOrder() {
+ return honorCipherOrder;
+ }
+
+
public void setHostName(String hostName) {
this.hostName = hostName;
}
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1677107&r1=1677106&r2=1677107&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Fri May 1 10:33:43 2015
@@ -1085,6 +1085,12 @@
of 10 will be used.</p>
</attribute>
+ <attribute name="honorCipherOrder" required="false">
+ <p>Set to <code>true</code> to enforce the server's cipher order
+ (from the <code>ciphers</code> setting) instead of allowing
+ the client to choose the cipher (which is the default).</p>
+ </attribute>
+
<attribute name="hostName" required="false">
<p>The name of the SSL Host. This should either be the fully qualified
domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain
@@ -1158,8 +1164,8 @@
branch.</p>
<p>If not specified, a default (using the OpenSSL notation) of
<code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5</code> will be used.</p>
- <p>Note that JSSE based connectors will always be configured to treat the
- order in which ciphers are defined as an order of preference.</p>
+ <p>Note that Java does not treat the order in which ciphers are defined
as
+ an order of preference. See <code>useServerCipherSuitesOrder</code>.</p>
</attribute>
<attribute name="clientAuth" required="false">
@@ -1318,6 +1324,12 @@
the default.</p>
</attribute>
+ <attribute name="useServerCipherSuitesOrder" required="false">
+ <p>This is an alias for the <code>honorCipherOrder</code> attribute of
the
+ default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
+ </attribute>
+
</attributes>
</subsection>
@@ -1416,9 +1428,9 @@
</attribute>
<attribute name="SSLHonorCipherOrder" required="false">
- <p>Set to <code>true</code> to enforce the server's cipher order
- (from the <code>SSLCipherSuite</code> setting) instead of allowing
- the client to choose the cipher (which is the default).</p>
+ <p>This is an alias for the <code>honorCipherOrder</code> attribute of
the
+ default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="SSLPassword" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
