Baron org.apache.catalina.connector.Connector: public void setProtocol(String
protocol) { if (AprLifecycleListener.isAprAvailable()) {
if ("HTTP/1.1".equals(protocol)) {
setProtocolHandlerClassName
("org.apache.coyote.http11.Http11AprProtocol");
} else if ("AJP/1.3".equals(protocol)) {
setProtocolHandlerClassName
("org.apache.coyote.ajp.AjpAprProtocol");
} else if (protocol != null) {
setProtocolHandlerClassName(protocol);
} else {
setProtocolHandlerClassName
("org.apache.coyote.http11.Http11AprProtocol");
}
} else {
if ("HTTP/1.1".equals(protocol)) {
setProtocolHandlerClassName
("org.apache.coyote.http11.Http11Protocol");
} else if ("AJP/1.3".equals(protocol)) {
setProtocolHandlerClassName
("org.apache.coyote.ajp.AjpProtocol");
} else if (protocol != null) {
setProtocolHandlerClassName(protocol);
}
} }
setProtocol assigns
protocolHandlerClassName="org.apache.coyote.http11.Http11AprProtocol" public
Connector(String protocol) {
setProtocol(protocol);
// Instantiate protocol handler
try {
Class<?> clazz = Class.forName(protocolHandlerClassName);
this.protocolHandler = (ProtocolHandler) clazz.newInstance();
} catch (Exception e) {
log.error
(sm.getString
("coyoteConnector.protocolHandlerInstantiationFailed", e));
}
}
/*** Return a configured property. */
public Object getProperty(String name) {
String repl = name;
if (replacements.get(name) != null) {
repl = replacements.get(name);
}
return IntrospectionUtils.getProperty(protocolHandler, repl);
} org.apache.tomcat.util.IntrospectionUtils
public static Object getProperty(Object o, String name) {
String getter = "get" + capitalize(name);
String isGetter = "is" + capitalize(name); try {
Method methods[] = findMethods(o.getClass());
Method getPropertyMethod = null; // First, the ideal
case - a getFoo() method
for (int i = 0; i < methods.length; i++) {
Class<?> paramT[] = methods[i].getParameterTypes();
if (getter.equals(methods[i].getName()) && paramT.length == 0) {
return methods[i].invoke(o, (Object[]) null);</snip>
org.apache.coyote.http11.Http11AprProtocol public void init() throws Exception {
endpoint.setName(getName()); public String getName() {
String encodedAddr = "";
if (getAddress() != null) {
encodedAddr = "" + getAddress();
if (encodedAddr.startsWith("/"))
encodedAddr = encodedAddr.substring(1);
encodedAddr = URLEncoder.encode(encodedAddr) + "-";
}
return ("http-" + encodedAddr + endpoint.getPort());
} return the SSLCipherSuite() for the specified endpoint
public String getSSLCipherSuite() { return endpoint.getSSLCipherSuite(); }
(assume Endpoint is Apr and Not Nio or Jio)
org.apache.tomcat.util.net.AprEndpoint protected String SSLCipherSuite = "ALL";
public String getSSLCipherSuite() { return SSLCipherSuite; }
public void setSSLCipherSuite(String SSLCipherSuite) { this.SSLCipherSuite
= SSLCipherSuite; }
you found a bug!
Martin Gainty
______________________________________________
We have awaken a sleeping bear and filled him with a terrible resolve...Admiral
Yamamoto...7 December 1941 > Date: Tue, 8 Jan 2013 16:55:02 -1000
> From: [email protected]
> To: [email protected]
> Subject: Restricting ciphers
>
> I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35.
> My understanding is that the attack applies only to CBC ciphers, and that
> RC4 ciphers are not vulnerable, so I am attempting to restrict the set of
> ciphers that Tomcat uses with the following config for a connector:
>
> <Connector protocol="HTTP/1.1" SSLEnabled="true"
> address="0.0.0.0"
> port="8443"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="/path/to/keystore"
> keystoreType="pkcs12"
> ciphers="TLS_RSA_WITH_RC4_128_SHA,
> TLS_RSA_WITH_RC4_128_MD5,
> SSL_CK_RC4_128_WITH_MD5"
> clientAuth="false" sslProtocol="TLS" />
>
> However, when I test this by attempting connections with a script[*] that
> iterates through the set of ciphers available to openssl, it appears to
> successfully connect with the following set of ciphers:
>
> AES128-SHA
> DES-CBC-SHA
> DES-CBC3-SHA
> DHE-RSA-AES128-SHA
> EDH-RSA-DES-CBC-SHA
> EDH-RSA-DES-CBC3-SHA
> EXP-DES-CBC-SHA
> EXP-EDH-RSA-DES-CBC-SHA
> EXP-RC4-MD5
> EXP-RC4-MD5
> RC4-MD5
> RC4-MD5
> RC4-SHA
>
> [*] The script basically parses the output of the following command:
> openssl s_client -cipher "$cipher" -connect $SERVER
>
> Am I misunderstanding the use of the "ciphers" parameter? Or is there
> perhaps something in my testing methodology that accounts for these
> unexpected results? Any advice would be appreciated.
>
> Aloha,
> -baron
> --
> Baron Fujimoto <[email protected]> :: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
