Author: rjung Date: Sun May 24 19:45:21 2015 New Revision: 1681523 URL: http://svn.apache.org/r1681523 Log: Port mod_ssl improvements to tcnative/ssl:
Partial backport of r1526168 from httpd/mod_ssl: - unconditionally disable null and export-grade ciphers by always prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string Custom tcnative builds with configure flag --enable-insecure-export-ciphers can reenable support for the insecure export and null ciphers. Modified: tomcat/native/branches/1.1.x/ (props changed) tomcat/native/branches/1.1.x/native/configure.in tomcat/native/branches/1.1.x/native/include/ssl_private.h tomcat/native/branches/1.1.x/native/src/sslcontext.c tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Propchange: tomcat/native/branches/1.1.x/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Sun May 24 19:45:21 2015 @@ -1,3 +1,3 @@ -/tomcat/native/trunk:815411,988395,988402,988428,992208,1043611,1043696,1205445,1295445,1342003,1342008,1342013,1342020,1342024,1394258,1394342,1424947,1424971,1430753,1437081,1438342,1439337,1441884,1441886,1442579,1442581,1445972,1507113,1532577,1532590,1539594,1555184,1559180,1588195,1607262,1607267,1607278,1607291,1607477,1648821,1650119,1650304,1658557,1658641-1658642,1658724,1669302,1669496,1681126,1681150-1681151,1681172,1681189,1681218,1681295,1681298,1681314,1681323,1681419,1681505,1681507,1681509 +/tomcat/native/trunk:815411,988395,988402,988428,992208,1043611,1043696,1205445,1295445,1342003,1342008,1342013,1342020,1342024,1394258,1394342,1424947,1424971,1430753,1437081,1438342,1439337,1441884,1441886,1442579,1442581,1445972,1507113,1532577,1532590,1539594,1555184,1559180,1588195,1607262,1607267,1607278,1607291,1607477,1648821,1650119,1650304,1658557,1658641-1658642,1658724,1669302,1669496,1681126,1681147,1681150-1681151,1681172,1681189,1681218,1681295,1681298,1681314,1681323,1681419,1681505,1681507,1681509,1681520 /tomcat/tc7.0.x/trunk:1199985,1200164,1349932,1434887,1435769 /tomcat/trunk:815418,832198,1001939,1033916,1043103,1044729,1078522,1145209,1145285,1149092,1241356,1241406-1241407,1242254,1292671,1299980,1300102,1434905,1437083 Modified: tomcat/native/branches/1.1.x/native/configure.in URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/configure.in?rev=1681523&r1=1681522&r2=1681523&view=diff ============================================================================== --- tomcat/native/branches/1.1.x/native/configure.in (original) +++ tomcat/native/branches/1.1.x/native/configure.in Sun May 24 19:45:21 2015 @@ -162,6 +162,17 @@ AC_ARG_ENABLE(ocsp, esac ]) +AC_ARG_ENABLE(insecure-export-ciphers, +[AS_HELP_STRING([--enable-insecure-export-ciphers],[allow including insecure export and null ciphers in the cipher string (default is disabled=not allowed)])], +[ + case "${enableval}" in + yes ) + APR_ADDTO(CFLAGS, [-DHAVE_EXPORT_CIPHERS]) + AC_MSG_WARN([Enabling insecure export and null cipher support]) + ;; + esac +]) + if $use_openssl ; then TCN_CHECK_SSL_TOOLKIT fi Modified: tomcat/native/branches/1.1.x/native/include/ssl_private.h URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/include/ssl_private.h?rev=1681523&r1=1681522&r2=1681523&view=diff ============================================================================== --- tomcat/native/branches/1.1.x/native/include/ssl_private.h (original) +++ tomcat/native/branches/1.1.x/native/include/ssl_private.h Sun May 24 19:45:21 2015 @@ -175,6 +175,8 @@ #define OCSP_STATUS_REVOKED 1 #define OCSP_STATUS_UNKNOWN 2 +#define SSL_CIPHERS_ALWAYS_DISABLED ("!aNULL:!eNULL:!EXP:") + /* ECC: make sure we have at least 1.0.0 */ #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) #define HAVE_ECC 1 Modified: tomcat/native/branches/1.1.x/native/src/sslcontext.c URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?rev=1681523&r1=1681522&r2=1681523&view=diff ============================================================================== --- tomcat/native/branches/1.1.x/native/src/sslcontext.c (original) +++ tomcat/native/branches/1.1.x/native/src/sslcontext.c Sun May 24 19:45:21 2015 @@ -301,18 +301,40 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); TCN_ALLOC_CSTRING(ciphers); jboolean rv = JNI_TRUE; +#ifndef HAVE_EXPORT_CIPHERS + size_t len; + char *buf; +#endif UNREFERENCED(o); TCN_ASSERT(ctx != 0); if (!J2S(ciphers)) return JNI_FALSE; - + +#ifndef HAVE_EXPORT_CIPHERS + /* + * Always disable NULL and export ciphers, + * no matter what was given in the config. + */ + len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1; + buf = malloc(len * sizeof(char *)); + if (buf == NULL) + return JNI_FALSE; + memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED, strlen(SSL_CIPHERS_ALWAYS_DISABLED)); + memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(ciphers), strlen(J2S(ciphers))); + buf[len - 1] = '\0'; + if (!SSL_CTX_set_cipher_list(c->ctx, buf)) { +#else if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) { +#endif char err[256]; ERR_error_string(ERR_get_error(), err); tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err); rv = JNI_FALSE; } +#ifndef HAVE_EXPORT_CIPHERS + free(buf); +#endif TCN_FREE_CSTRING(ciphers); return rv; } Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml?rev=1681523&r1=1681522&r2=1681523&view=diff ============================================================================== --- tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml (original) +++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Sun May 24 19:45:21 2015 @@ -39,6 +39,12 @@ <section name="Changes between 1.1.33 and 1.1.34"> <changelog> <update> + Unconditionally disable export Ciphers. Use the + configure flag --enable-insecure-export-ciphers + for a custom build supporting those insecure ciphers. + (rjung) + </update> + <update> Improve ephemeral key handling for DH and ECDH. Parameter strength is by default derived from the certificate key strength. It can be overwritten --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org