Author: markt Date: Mon Apr 13 13:53:59 2015 New Revision: 1673194 URL: http://svn.apache.org/r1673194 Log: Remove a BIO specific option
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java tomcat/trunk/webapps/docs/config/http.xml tomcat/trunk/webapps/docs/security-howto.xml Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1673194&r1=1673193&r2=1673194&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java Mon Apr 13 13:53:59 2015 @@ -99,13 +99,6 @@ public abstract class AbstractHttp11Jsse public void setSessionTimeout(String s){getEndpoint().setSessionTimeout(s);} public String getSessionTimeout(){ return getEndpoint().getSessionTimeout();} - public void setAllowUnsafeLegacyRenegotiation(String s) { - getEndpoint().setAllowUnsafeLegacyRenegotiation(s); - } - public String getAllowUnsafeLegacyRenegotiation() { - return getEndpoint().getAllowUnsafeLegacyRenegotiation(); - } - public String getSslImplementationName() { return getEndpoint().getSslImplementationName(); } public void setSslImplementationName(String s) { getEndpoint().setSslImplementationName(s); } } Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1673194&r1=1673193&r2=1673194&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Mon Apr 13 13:53:59 2015 @@ -1038,14 +1038,6 @@ public abstract class AbstractEndpoint<S public String getSessionTimeout() { return sessionTimeout;} public void setSessionTimeout(String s) { sessionTimeout = s;} - private String allowUnsafeLegacyRenegotiation = null; - public String getAllowUnsafeLegacyRenegotiation() { - return allowUnsafeLegacyRenegotiation; - } - public void setAllowUnsafeLegacyRenegotiation(String s) { - allowUnsafeLegacyRenegotiation = s; - } - private String[] sslEnabledProtocolsarr = new String[0]; public String[] getSslEnabledProtocolsArray() { Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1673194&r1=1673193&r2=1673194&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Mon Apr 13 13:53:59 2015 @@ -1025,19 +1025,6 @@ documentation for the default value.</p> </attribute> - <attribute name="allowUnsafeLegacyRenegotiation" required="false"> - <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose - users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS - protocol that allows an attacker to inject arbitrary data into the user's - request. If not specified, a default of <code>false</code> is used. This - attribute only has an effect if the JVM does not support RFC 5746 as - indicated by the presence of the pseudo-ciphersuite - TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22 - onwards. Where RFC 5746 is supported the renegotiation - including support - for unsafe legacy renegotiation - is controlled by the JVM configuration. - </p> - </attribute> - <attribute name="useServerCipherSuitesOrder" required="false"> <p> Set to <code>true</code> to enforce the server's cipher order Modified: tomcat/trunk/webapps/docs/security-howto.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1673194&r1=1673193&r2=1673194&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/security-howto.xml (original) +++ tomcat/trunk/webapps/docs/security-howto.xml Mon Apr 13 13:53:59 2015 @@ -294,15 +294,6 @@ proxy (the authenticated user name is passed to Tomcat as part of the AJP protocol) with the option for Tomcat to still perform authorization.</p> - <p>The <strong>allowUnsafeLegacyRenegotiation</strong> attribute provides - a workaround for - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"> - CVE-2009-3555</a>, a TLS man in the middle attack. This workaround applies - to the BIO connector. It is only necessary if the underlying SSL - implementation is vulnerable to CVE-2009-3555. For more information on the - current state of this vulnerability and the work-arounds available see the - <security>Tomcat <version-major/> security page</security>.</p> - <p>The <strong>requiredSecret</strong> attribute in AJP connectors configures shared secret between Tomcat and reverse proxy in front of Tomcat. It is used to prevent unauthorized connections over AJP protocol.</p> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org