Author: rjung Date: Fri May 22 15:30:13 2015 New Revision: 1681147 URL: http://svn.apache.org/r1681147 Log: Port mod_ssl improvements to tcnative/ssl:
Partial backport of r1526168 from httpd/mod_ssl: Streamline ephemeral key handling: - unconditionally disable null and export-grade ciphers by always prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string For additional background, see https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3c52358ed1.2070...@velox.ch%3E Modified: tomcat/native/trunk/native/include/ssl_private.h tomcat/native/trunk/native/src/sslcontext.c Modified: tomcat/native/trunk/native/include/ssl_private.h URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1681147&r1=1681146&r2=1681147&view=diff ============================================================================== --- tomcat/native/trunk/native/include/ssl_private.h (original) +++ tomcat/native/trunk/native/include/ssl_private.h Fri May 22 15:30:13 2015 @@ -210,6 +210,7 @@ #define OCSP_STATUS_REVOKED 1 #define OCSP_STATUS_UNKNOWN 2 +#define SSL_CIPHERS_ALWAYS_DISABLED ("!aNULL:!eNULL:!EXP:") /* ECC: make sure we have at least 1.0.0 */ #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) Modified: tomcat/native/trunk/native/src/sslcontext.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1681147&r1=1681146&r2=1681147&view=diff ============================================================================== --- tomcat/native/trunk/native/src/sslcontext.c (original) +++ tomcat/native/trunk/native/src/sslcontext.c Fri May 22 15:30:13 2015 @@ -379,13 +379,25 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, TCN_ASSERT(ctx != 0); if (!J2S(ciphers)) return JNI_FALSE; - - if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) { + + /* + * Always disable NULL and export ciphers, + * no matter what was given in the config. + */ + size_t len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1; + char *buf = malloc(len * sizeof(char *)); + if (buf == NULL) + return JNI_FALSE; + memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED, strlen(SSL_CIPHERS_ALWAYS_DISABLED)); + memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(ciphers), strlen(J2S(ciphers))); + buf[len - 1] = '\0'; + if (!SSL_CTX_set_cipher_list(c->ctx, buf)) { char err[256]; ERR_error_string(ERR_get_error(), err); tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err); rv = JNI_FALSE; } + free(buf); TCN_FREE_CSTRING(ciphers); return rv; } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
