svn commit: r1673194 - in /tomcat/trunk: java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java java/org/apache/tomcat/util/net/AbstractEndpoint.java webapps/docs/config/http.xml webapps/docs/security-howto.xml

Mon, 13 Apr 2015 06:54:18 -0700 

Author: markt
Date: Mon Apr 13 13:53:59 2015
New Revision: 1673194

URL: http://svn.apache.org/r1673194
Log:
Remove a BIO specific option

Modified:
    tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
    tomcat/trunk/webapps/docs/config/http.xml
    tomcat/trunk/webapps/docs/security-howto.xml

Modified: 
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1673194&r1=1673193&r2=1673194&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java 
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java 
Mon Apr 13 13:53:59 2015
@@ -99,13 +99,6 @@ public abstract class AbstractHttp11Jsse
     public void setSessionTimeout(String 
s){getEndpoint().setSessionTimeout(s);}
     public String getSessionTimeout(){ return 
getEndpoint().getSessionTimeout();}
 
-    public void setAllowUnsafeLegacyRenegotiation(String s) {
-        getEndpoint().setAllowUnsafeLegacyRenegotiation(s);
-    }
-    public String getAllowUnsafeLegacyRenegotiation() {
-        return getEndpoint().getAllowUnsafeLegacyRenegotiation();
-    }
-
     public String getSslImplementationName() { return 
getEndpoint().getSslImplementationName(); }
     public void setSslImplementationName(String s) { 
getEndpoint().setSslImplementationName(s); }
 }

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1673194&r1=1673193&r2=1673194&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Mon Apr 
13 13:53:59 2015
@@ -1038,14 +1038,6 @@ public abstract class AbstractEndpoint<S
     public String getSessionTimeout() { return sessionTimeout;}
     public void setSessionTimeout(String s) { sessionTimeout = s;}
 
-    private String allowUnsafeLegacyRenegotiation = null;
-    public String getAllowUnsafeLegacyRenegotiation() {
-        return allowUnsafeLegacyRenegotiation;
-    }
-    public void setAllowUnsafeLegacyRenegotiation(String s) {
-        allowUnsafeLegacyRenegotiation = s;
-    }
-
 
     private String[] sslEnabledProtocolsarr = new String[0];
     public String[] getSslEnabledProtocolsArray() {

Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1673194&r1=1673193&r2=1673194&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Mon Apr 13 13:53:59 2015
@@ -1025,19 +1025,6 @@
       documentation for the default value.</p>
     </attribute>
 
-    <attribute name="allowUnsafeLegacyRenegotiation" required="false">
-      <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
-      users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
-      protocol that allows an attacker to inject arbitrary data into the user's
-      request. If not specified, a default of <code>false</code> is used. This
-      attribute only has an effect if the JVM does not support RFC 5746 as
-      indicated by the presence of the pseudo-ciphersuite
-      TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22
-      onwards. Where RFC 5746 is supported the renegotiation - including 
support
-      for unsafe legacy renegotiation - is controlled by the JVM configuration.
-      </p>
-    </attribute>
-
     <attribute name="useServerCipherSuitesOrder" required="false">
       <p>
         Set to <code>true</code> to enforce the server's cipher order

Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1673194&r1=1673193&r2=1673194&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Mon Apr 13 13:53:59 2015
@@ -294,15 +294,6 @@
       proxy (the authenticated user name is passed to Tomcat as part of the AJP
       protocol) with the option for Tomcat to still perform authorization.</p>
 
-      <p>The <strong>allowUnsafeLegacyRenegotiation</strong> attribute provides
-      a workaround for
-      <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555";>
-      CVE-2009-3555</a>, a TLS man in the middle attack. This workaround 
applies
-      to the BIO connector. It is only necessary if the underlying SSL
-      implementation is vulnerable to CVE-2009-3555. For more information on 
the
-      current state of this vulnerability and the work-arounds available see 
the
-      <security>Tomcat <version-major/> security page</security>.</p>
-
       <p>The <strong>requiredSecret</strong> attribute in AJP connectors
       configures shared secret between Tomcat and reverse proxy in front of
       Tomcat. It is used to prevent unauthorized connections over AJP 
protocol.</p>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to