svn commit: r1643590 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/tomcat/util/net/NioEndpoint.java java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java webapps/docs/changelog.xml

Sat, 06 Dec 2014 11:26:19 -0800 

Author: kkolinko
Date: Sat Dec  6 19:25:58 2014
New Revision: 1643590

URL: http://svn.apache.org/r1643590
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57234
Make SSL protocol filtering to remove insecure protocols case
insensitive. Correct spelling of filterInsecureProtocols method.

This is
 - Backport of r1641377
 - + patch by Christopher Schultz to de-duplicate code and correct spelling of 
filterInsecureProtocols method
 - Fix a pair of compiler warnings in JSSESocketFactory.java

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
    
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1643590&r1=1643589&r2=1643590&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sat Dec  6 19:25:58 2014
@@ -28,29 +28,6 @@ None
 PATCHES PROPOSED TO BACKPORT:
   [ New proposals should be added at the end of the list ]
 
-* Use JSSESocketFactory.filterInsecureProtocols instead of duplicate
-  implementation of the same code.
-  
http://people.apache.org/~schultz/patches/coalesce-protocol-filtering.tc6.patch
-  (Not a back-port. No functional change.)
-  Also corrects spelling of filterInsecureProtocols method.
-+1: schultz, kkolinko
-+0: markt: Should fix BZ57234 at the same time  kkolinko: Updated patch is 
proposed below.
--1:
-
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57234
-  Make SSL protocol filtering to remove insecure protocols case
-  insensitive. Correct spelling of filterInsecureProtocols method.
-  This is
-   - Backport of r1641377
-   - + patch by Christopher Schultz to de-duplicate code and correct
-   spelling of filterInsecureProtocols method
-   - Fix a pair of compiler warnings in JSSESocketFactory.java
-    (fix duplicate ';' and use generics in declaration of a local variable).
-  https://issues.apache.org/bugzilla/attachment.cgi?id=32226
-  +1: kkolinko, remm, rjung
-  +1: schultz, and I withdraw above proposal if this one is accepted
-  -1:
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54143
   1. Add display of memory pools usage (including PermGen) to the Status page
   of the Manager web application.

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1643590&r1=1643589&r2=1643590&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Sat 
Dec  6 19:25:58 2014
@@ -1144,7 +1144,7 @@ public class NioEndpoint extends Abstrac
             engine.setEnabledProtocols(sslEnabledProtocolsarr);
         } else {
             // Filter out the insecure protocols from the defaults
-            
engine.setEnabledProtocols(JSSESocketFactory.filterInsecureProcotols(
+            
engine.setEnabledProtocols(JSSESocketFactory.filterInsecureProtocols(
                     engine.getEnabledProtocols()));
         }
 

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1643590&r1=1643589&r2=1643590&view=diff
==============================================================================
--- 
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 (original)
+++ 
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 Sat Dec  6 19:25:58 2014
@@ -45,6 +45,7 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Set;
 
 import javax.net.ssl.CertPathTrustManagerParameters;
@@ -174,15 +175,8 @@ public class JSSESocketFactory
 
         // Filter out all the SSL protocols (SSLv2 and SSLv3) from the defaults
         // since they are no longer considered secure
-        List<String> filteredProtocols = new ArrayList<String>();
-        for (String protocol : socket.getEnabledProtocols()) {
-            if (protocol.contains("SSL")) {
-                log.debug(sm.getString("jsse.excludeDefaultProtocol", 
protocol));
-                continue;
-            }
-            filteredProtocols.add(protocol);
-        }
-        defaultServerProtocols = filteredProtocols.toArray(new 
String[filteredProtocols.size()]);
+        defaultServerProtocols = 
filterInsecureProtocols(socket.getEnabledProtocols());
+
         if (defaultServerProtocols.length == 0) {
             log.warn(sm.getString("jsse.noDefaultProtocols"));
         }
@@ -482,7 +476,7 @@ public class JSSESocketFactory
             // Certificate encoding algorithm (e.g., SunX509)
             String algorithm = (String) attributes.get("algorithm");
             if (algorithm == null) {
-                algorithm = KeyManagerFactory.getDefaultAlgorithm();;
+                algorithm = KeyManagerFactory.getDefaultAlgorithm();
             }
 
             String keystoreType = (String) attributes.get("keystoreType");
@@ -663,7 +657,7 @@ public class JSSESocketFactory
         if("PKIX".equalsIgnoreCase(algorithm)) {
             PKIXBuilderParameters xparams = new 
PKIXBuilderParameters(trustStore,
                                                                      new 
X509CertSelector());
-            Collection crls = getCRLs(crlf);
+            Collection<? extends CRL> crls = getCRLs(crlf);
             CertStoreParameters csp = new CollectionCertStoreParameters(crls);
             CertStore store = CertStore.getInstance("Collection", csp);
             xparams.addCertStore(store);
@@ -856,14 +850,14 @@ public class JSSESocketFactory
     }
 
 
-    public static String[] filterInsecureProcotols(String[] protocols) {
+    public static String[] filterInsecureProtocols(String[] protocols) {
         if (protocols == null) {
             return null;
         }
 
         List<String> result = new ArrayList<String>(protocols.length);
         for (String protocol : protocols) {
-            if (protocol == null || protocol.contains("SSL")) {
+            if (protocol == null || 
protocol.toUpperCase(Locale.ENGLISH).contains("SSL")) {
                 log.debug(sm.getString("jsse.excludeDefaultProtocol", 
protocol));
             } else {
                 result.add(protocol);

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1643590&r1=1643589&r2=1643590&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sat Dec  6 19:25:58 2014
@@ -51,6 +51,15 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        <bug>57234</bug>: Make SSL protocol filtering to remove insecure
+        protocols case insensitive. Correct spelling of
+        filterInsecureProtocols method. (kkolinko/schultz)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Web applications">
     <changelog>
       <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to