Author: mturk
Date: Tue Mar 2 09:14:44 2010
New Revision: 917928
URL: http://svn.apache.org/viewvc?rev=917928&view=rev
Log:
Port SSLInsecureRenegotiation from mod_ssl
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=917928&r1=917927&r2=917928&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Tue Mar 2 09:14:44 2010
@@ -113,9 +113,12 @@
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
* This used to be 0x000FFFFFL before 0.9.7. */
public static final int SSL_OP_ALL =
0x00000FFF;
-
/* As server, disallow session resumption on renegotiation */
public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION =
0x00010000;
+ /* Permit unsafe legacy renegotiation */
+ public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION =
0x00040000;
+ /* If set, always create a new key when using tmp_eddh parameters */
+ public static final int SSL_OP_SINGLE_ECDH_USE =
0x00080000;
/* If set, always create a new key when using tmp_dh parameters */
public static final int SSL_OP_SINGLE_DH_USE =
0x00100000;
/* Set to always use the tmp_rsa key when doing RSA operations,
@@ -325,4 +328,17 @@
* Return last SSL error string
*/
public static native String getLastError();
+
+ /**
+ * Return true if SSL_OP_ if defined.
+ * <p>
+ * Currently used for testing weather the
+ * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is supported by OpenSSL.
+ * <p>
+ * @param op SSL_OP to test.
+ * @return true if SSL_OP is supported by OpenSSL library.
+ */
+ public static native boolean hasOp(int op);
+
}
+
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=917928&r1=917927&r2=917928&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Mar 2
09:14:44 2010
@@ -309,6 +309,14 @@
public void setSSLVerifyDepth(int SSLVerifyDepth) { this.SSLVerifyDepth =
SSLVerifyDepth; }
+ /**
+ * SSL allow insecure renegotiation for the the client that does not
+ * support the secure renegotiation.
+ */
+ protected boolean SSLInsecureRenegotiation = false;
+ public void seSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation) {
this.SSLInsecureRenegotiation = SSLInsecureRenegotiation; }
+ public boolean getSSLInsecureRenegotiation() { return
SSLInsecureRenegotiation; }
+
// --------------------------------------------------------- Public Methods
@@ -460,6 +468,15 @@
}
// Create SSL Context
sslContext = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
+ if (SSLInsecureRenegotiation) {
+ if (SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ else {
+ // OpenSSL does not support unsafe legacy renegotiation.
+ log.warn(sm.getString("endpoint.warn.noInsecureReneg",
+ SSL.versionString()));
+ }
+ }
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
// Load Server key and certificate
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=917928&r1=917927&r2=917928&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
Tue Mar 2 09:14:44 2010
@@ -39,3 +39,4 @@
endpoint.sendfile.error=Unexpected sendfile error
endpoint.sendfile.addfail=Sednfile failure: [{0}] {1}
endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version
or the system doesn't support it
+endpoint.warn.noInsecureReneg=Secure renegotation is not supported by the SSL
library {0}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=917928&r1=917927&r2=917928&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Mar 2 09:14:44 2010
@@ -114,6 +114,11 @@
<subsection name="Coyote">
<changelog>
<update>
+ Port SSLInsecureRenegotiation from mod_ssl. This requires
+ to use tomcat-native 1.2.21 that have option to detect this
+ support from OpenSSL library. (mturk)
+ </update>
+ <update>
Allow bigger AJP packets also for request bodies and responses
using the packetSize attribute of the Connector. (rjung)
</update>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
