Author: markt
Date: Mon May 11 13:38:49 2015
New Revision: 1678754
URL: http://svn.apache.org/r1678754
Log:
Switch the honorCipherOrder default to true and refactor the openSSL option
setting to set/clear each option as appropriate
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1678754&r1=1678753&r2=1678754&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Mon May 11
13:38:49 2015
@@ -414,72 +414,83 @@ public class AprEndpoint extends Abstrac
sm.getString("endpoint.apr.failSslContextMake"),
e);
}
- if (sslHostConfig.getInsecureRenegotiation()) {
- boolean legacyRenegSupported = false;
- try {
- legacyRenegSupported =
SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- if (legacyRenegSupported)
+ boolean legacyRenegSupported = false;
+ try {
+ legacyRenegSupported =
SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ if (legacyRenegSupported)
+ if (sslHostConfig.getInsecureRenegotiation()) {
SSLContext.setOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!legacyRenegSupported) {
- // OpenSSL does not support unsafe legacy
renegotiation.
- log.warn(sm.getString("endpoint.warn.noInsecureReneg",
- SSL.versionString()));
- }
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ }
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!legacyRenegSupported) {
+ // OpenSSL does not support unsafe legacy renegotiation.
+ log.warn(sm.getString("endpoint.warn.noInsecureReneg",
+ SSL.versionString()));
}
- // Set cipher order: client (default) or server
- if (sslHostConfig.getHonorCipherOrder()) {
- boolean orderCiphersSupported = false;
- try {
- orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- if (orderCiphersSupported)
+ // Use server's preference order for ciphers (rather than
+ // client's)
+ boolean orderCiphersSupported = false;
+ try {
+ orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ if (orderCiphersSupported) {
+ if (sslHostConfig.getHonorCipherOrder()) {
SSLContext.setOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!orderCiphersSupported) {
- // OpenSSL does not support ciphers ordering.
-
log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
- SSL.versionString()));
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
}
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!orderCiphersSupported) {
+ // OpenSSL does not support ciphers ordering.
+ log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
+ SSL.versionString()));
}
// Disable compression if requested
- if (sslHostConfig.getDisableCompression()) {
- boolean disableCompressionSupported = false;
- try {
- disableCompressionSupported =
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
- if (disableCompressionSupported)
+ boolean disableCompressionSupported = false;
+ try {
+ disableCompressionSupported =
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
+ if (disableCompressionSupported) {
+ if (sslHostConfig.getDisableCompression()) {
SSLContext.setOptions(ctx,
SSL.SSL_OP_NO_COMPRESSION);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableCompressionSupported) {
- // OpenSSL does not support ciphers ordering.
-
log.warn(sm.getString("endpoint.warn.noDisableCompression",
- SSL.versionString()));
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_NO_COMPRESSION);
+ }
}
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!disableCompressionSupported) {
+ // OpenSSL does not support ciphers ordering.
+ log.warn(sm.getString("endpoint.warn.noDisableCompression",
+ SSL.versionString()));
}
// Disable TLS Session Tickets (RFC4507) to protect perfect
forward secrecy
- if (sslHostConfig.getDisableSessionTickets()) {
- boolean disableSessionTicketsSupported = false;
- try {
- disableSessionTicketsSupported =
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
- if (disableSessionTicketsSupported)
+ boolean disableSessionTicketsSupported = false;
+ try {
+ disableSessionTicketsSupported =
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
+ if (disableSessionTicketsSupported) {
+ if (sslHostConfig.getDisableSessionTickets()) {
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
-
- if (!disableSessionTicketsSupported) {
- // OpenSSL is too old to support TLS Session Tickets.
-
log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
- SSL.versionString()));
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
+ }
}
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!disableSessionTicketsSupported) {
+ // OpenSSL is too old to support TLS Session Tickets.
+
log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
+ SSL.versionString()));
}
// List the ciphers that the client is permitted to negotiate
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1678754&r1=1678753&r2=1678754&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Mon May 11
13:38:49 2015
@@ -55,7 +55,7 @@ public class SSLHostConfig {
private CertificateVerification certificateVerification =
CertificateVerification.NONE;
private int certificateVerificationDepth = 10;
private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
- private boolean honorCipherOrder = false;
+ private boolean honorCipherOrder = true;
private Set<String> protocols = new HashSet<>();
// JSSE
private String certificateKeyAlias;
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1678754&r1=1678753&r2=1678754&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Mon May 11 13:38:49 2015
@@ -1177,9 +1177,9 @@
<attribute name="disableCompression" required="false">
<p>OpenSSL only.</p>
- <p>Disables compression if set to <code>true</code> and OpenSSL supports
- disabling compression. Default is <code>true</code>. If
<code>false</code>
- the default compression setting in OpenSSL will be used.</p>
+ <p>Configures if compression is disabled. The default is
+ <code>true</code>. If the OpenSSL version used does not support disabling
+ compression then the default for that OpenSSL version will be used.</p>
</attribute>
<attribute name="disableSessionTickets" required="false">
@@ -1191,7 +1191,7 @@
<attribute name="honorCipherOrder" required="false">
<p>Set to <code>true</code> to enforce the server's cipher order
(from the <code>ciphers</code> setting) instead of allowing
- the client to choose the cipher (which is the default).</p>
+ the client to choose the cipher. The default is <code>true</code>.</p>
</attribute>
<attribute name="hostName" required="false">
@@ -1203,10 +1203,10 @@
<attribute name="insecureRenegotiation" required="false">
<p>OpenSSL only.</p>
- <p>Enables insecure renegotiation if set to <code>true</code> and OpenSSL
- supports enabling insecure renegotiation. Default is <code>false</code>.
- If <code>false</code> the default insecure renegotiation setting in
- OpenSSL will be used.</p>
+ <p>Configures if insecure renegotiation is allowed. The default is
+ <code>false</code>. If the OpenSSL version used does not support
+ configuring if insecure renegotiation is allowed then the default for
that
+ OpenSSL version will be used.</p>
</attribute>
<attribute name="keyManagerAlgorithm" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
