Author: markt
Date: Sat Jan 30 00:18:19 2016
New Revision: 1727667
URL: http://svn.apache.org/viewvc?rev=1727667&view=rev
Log:
Fix an NPE in the Manager web application when displaying ciphers for APR/native
Align OpenSsl's handling of enabled ciphers/protocols with JSSE
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1727667&r1=1727666&r2=1727667&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Sat Jan 30
00:18:19 2016
@@ -24,7 +24,9 @@ import java.nio.channels.CompletionHandl
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executor;
import java.util.concurrent.RejectedExecutionException;
@@ -54,6 +56,7 @@ import org.apache.tomcat.util.buf.ByteBu
import org.apache.tomcat.util.net.AbstractEndpoint.Acceptor.AcceptorState;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.SSLHostConfig.Type;
+import org.apache.tomcat.util.net.openssl.OpenSSLEngine;
/**
@@ -346,13 +349,32 @@ public class AprEndpoint extends Abstrac
if (isSSLEnabled()) {
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
- for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
+ Set<SSLHostConfigCertificate> certificates =
sslHostConfig.getCertificates(true);
+ boolean firstCertificate = true;
+ for (SSLHostConfigCertificate certificate : certificates) {
if
(SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()) == null) {
// This is required
throw new
Exception(sm.getString("endpoint.apr.noSslCertFile"));
}
+ if (firstCertificate) {
+ // TODO: Duplicates code in SSLUtilBase. Consider
+ // refactoring to reduce duplication
+ firstCertificate = false;
+ // Configure the enabled protocols
+ List<String> enabledProtocols =
SSLUtilBase.getEnabled("protocols", log,
+ true, sslHostConfig.getProtocols(),
+ OpenSSLEngine.IMPLEMENTED_PROTOCOLS_SET);
+ sslHostConfig.setEnabledProtocols(
+ enabledProtocols.toArray(new
String[enabledProtocols.size()]));
+ // Configure the enabled ciphers
+ List<String> enabledCiphers =
SSLUtilBase.getEnabled("ciphers", log,
+ false, sslHostConfig.getJsseCipherNames(),
+ OpenSSLEngine.AVAILABLE_CIPHER_SUITES);
+ sslHostConfig.setEnabledCiphers(
+ enabledCiphers.toArray(new
String[enabledCiphers.size()]));
+ }
}
- if (sslHostConfig.getCertificates().size() > 2) {
+ if (certificates.size() > 2) {
// TODO: Can this limitation be removed?
throw new
Exception(sm.getString("endpoint.apr.tooManyCertFiles"));
}
@@ -363,7 +385,7 @@ public class AprEndpoint extends Abstrac
// Native fallback used if protocols=""
value = SSL.SSL_PROTOCOL_ALL;
} else {
- for (String protocol : sslHostConfig.getProtocols()) {
+ for (String protocol :
sslHostConfig.getEnabledProtocols()) {
if
(Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) {
// NO-OP. OpenSSL always supports SSLv2Hello
} else if
(Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol)) {
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java?rev=1727667&r1=1727666&r2=1727667&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java Sat Jan 30
00:18:19 2016
@@ -45,19 +45,19 @@ public abstract class SSLUtilBase implem
Set<String> configuredProtocols = sslHostConfig.getProtocols();
Set<String> implementedProtocols = getImplementedProtocols();
List<String> enabledProtocols =
- getEnabled("protocols", true, configuredProtocols,
implementedProtocols);
+ getEnabled("protocols", getLog(), true, configuredProtocols,
implementedProtocols);
this.enabledProtocols = enabledProtocols.toArray(new
String[enabledProtocols.size()]);
// Calculate the enabled ciphers
List<String> configuredCiphers = sslHostConfig.getJsseCipherNames();
Set<String> implementedCiphers = getImplementedCiphers();
List<String> enabledCiphers =
- getEnabled("ciphers", false, configuredCiphers,
implementedCiphers);
+ getEnabled("ciphers", getLog(), false, configuredCiphers,
implementedCiphers);
this.enabledCiphers = enabledCiphers.toArray(new
String[enabledCiphers.size()]);
}
- private <T> List<T> getEnabled(String name, boolean warnOnSkip,
Collection<T> configured,
+ static <T> List<T> getEnabled(String name, Log log, boolean warnOnSkip,
Collection<T> configured,
Collection<T> implemented) {
List<T> enabled = new ArrayList<>();
@@ -80,19 +80,19 @@ public abstract class SSLUtilBase implem
throw new IllegalArgumentException(
sm.getString("sslUtilBase.noneSupported", name,
configured));
}
- if (getLog().isDebugEnabled()) {
- getLog().debug(sm.getString("sslUtilBase.active", name,
enabled));
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("sslUtilBase.active", name, enabled));
}
- if (getLog().isDebugEnabled() || warnOnSkip) {
+ if (log.isDebugEnabled() || warnOnSkip) {
if (enabled.size() != configured.size()) {
List<T> skipped = new ArrayList<>();
skipped.addAll(configured);
skipped.removeAll(enabled);
String msg = sm.getString("sslUtilBase.skipped", name,
skipped);
if (warnOnSkip) {
- getLog().warn(msg);
+ log.warn(msg);
} else {
- getLog().debug(msg);
+ log.debug(msg);
}
}
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1727667&r1=1727666&r2=1727667&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Sat
Jan 30 00:18:19 2016
@@ -68,7 +68,7 @@ public final class OpenSSLEngine extends
private static final SSLException ENGINE_CLOSED = new
SSLException(sm.getString("engine.engineClosed"));
private static final SSLException ENCRYPTED_PACKET_OVERSIZED = new
SSLException(sm.getString("engine.oversizedPacket"));
- protected static final Set<String> AVAILABLE_CIPHER_SUITES;
+ public static final Set<String> AVAILABLE_CIPHER_SUITES;
static {
final Set<String> availableCipherSuites = new LinkedHashSet<>(128);
@@ -122,8 +122,8 @@ public final class OpenSSLEngine extends
Constants.SSL_PROTO_TLSv1_1,
Constants.SSL_PROTO_TLSv1_2
};
- protected static final Set<String> IMPLEMENTED_PROTOCOLS_SET =
- new HashSet<>(Arrays.asList(IMPLEMENTED_PROTOCOLS));
+ public static final Set<String> IMPLEMENTED_PROTOCOLS_SET =
+ Collections.unmodifiableSet(new
HashSet<>(Arrays.asList(IMPLEMENTED_PROTOCOLS)));
// Header (5) + Data (2^14) + Compression (1024) + Encryption (1024) + MAC
(20) + Padding (256)
static final int MAX_ENCRYPTED_PACKET_LENGTH = MAX_CIPHERTEXT_LENGTH + 5 +
20 + 256;
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1727667&r1=1727666&r2=1727667&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Jan 30 00:18:19 2016
@@ -78,6 +78,18 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Correct a regression in the connector refactoring in 9.0.0.M2 that
broke
+ TLS support for the APR/native connector. (remm)
+ </fix>
+ <fix>
+ Correct an NPE when listing the enabled ciphers (e.g. via the Manager
+ web application) for a TLS enabled APR/native connector. (markt)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 9.0.0.M2" rtext="Voting in progress">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
