OpenSSLContext.java

markt Tue, 05 Apr 2016 11:03:09 -0700

Author: markt
Date: Tue Apr  5 18:02:25 2016
New Revision: 1737862

URL: http://svn.apache.org/viewvc?rev=1737862&view=rev
Log:
With a minimum version of OpenSSL 1.0.2, these features are always available.


Modified:
    
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1737862&r1=1737861&r2=1737862&view=diff
==============================================================================
--- 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
 (original)
+++ 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
 Tue Apr  5 18:02:25 2016
@@ -194,82 +194,32 @@ public class OpenSSLContext implements o
             return;
         }
         try {
-            boolean legacyRenegSupported = false;
-            try {
-                legacyRenegSupported = 
SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
-                if (legacyRenegSupported)
-                    if (sslHostConfig.getInsecureRenegotiation()) {
-                        SSLContext.setOptions(ctx, 
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
-                    } else {
-                        SSLContext.clearOptions(ctx, 
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
-                    }
-            } catch (UnsatisfiedLinkError e) {
-                // Ignore
-            }
-            if (!legacyRenegSupported) {
-                // OpenSSL does not support unsafe legacy renegotiation.
-                log.warn(netSm.getString("endpoint.warn.noInsecureReneg",
-                                      SSL.versionString()));
+            if (sslHostConfig.getInsecureRenegotiation()) {
+                SSLContext.setOptions(ctx, 
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+            } else {
+                SSLContext.clearOptions(ctx, 
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
             }
+
             // Use server's preference order for ciphers (rather than
             // client's)
-            boolean orderCiphersSupported = false;
-            try {
-                orderCiphersSupported = 
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
-                if (orderCiphersSupported) {
-                    if (sslHostConfig.getHonorCipherOrder()) {
-                        SSLContext.setOptions(ctx, 
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
-                    } else {
-                        SSLContext.clearOptions(ctx, 
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
-                    }
-                }
-            } catch (UnsatisfiedLinkError e) {
-                // Ignore
-            }
-            if (!orderCiphersSupported) {
-                // OpenSSL does not support ciphers ordering.
-                log.warn(netSm.getString("endpoint.warn.noHonorCipherOrder",
-                                      SSL.versionString()));
+            if (sslHostConfig.getHonorCipherOrder()) {
+                SSLContext.setOptions(ctx, 
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+            } else {
+                SSLContext.clearOptions(ctx, 
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
             }
 
             // Disable compression if requested
-            boolean disableCompressionSupported = false;
-            try {
-                disableCompressionSupported = 
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
-                if (disableCompressionSupported) {
-                    if (sslHostConfig.getDisableCompression()) {
-                        SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
-                    } else {
-                        SSLContext.clearOptions(ctx, 
SSL.SSL_OP_NO_COMPRESSION);
-                    }
-                }
-            } catch (UnsatisfiedLinkError e) {
-                // Ignore
-            }
-            if (!disableCompressionSupported) {
-                // OpenSSL does not support ciphers ordering.
-                log.warn(netSm.getString("endpoint.warn.noDisableCompression",
-                                      SSL.versionString()));
+            if (sslHostConfig.getDisableCompression()) {
+                SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
+            } else {
+                SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
             }
 
             // Disable TLS Session Tickets (RFC4507) to protect perfect 
forward secrecy
-            boolean disableSessionTicketsSupported = false;
-            try {
-                disableSessionTicketsSupported = 
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
-                if (disableSessionTicketsSupported) {
-                    if (sslHostConfig.getDisableSessionTickets()) {
-                        SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
-                    } else {
-                        SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
-                    }
-                }
-            } catch (UnsatisfiedLinkError e) {
-                // Ignore
-            }
-            if (!disableSessionTicketsSupported) {
-                // OpenSSL is too old to support TLS Session Tickets.
-                
log.warn(netSm.getString("endpoint.warn.noDisableSessionTickets",
-                                      SSL.versionString()));
+            if (sslHostConfig.getDisableSessionTickets()) {
+                SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
+            } else {
+                SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
             }
 
             // Set session cache size, if specified



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737862 - /tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

Reply via email to