JBossWeb SVN: r2567 - tags.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2014-12-04 10:06:08 -0500 (Thu, 04 Dec 2014)
New Revision: 2567
Added:
tags/JBOSSWEB_7_5_2_FINAL/
Log:
Web 7.5.2
10 years
JBossWeb SVN: r2566 - branches/7.5.x.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2014-12-04 10:05:44 -0500 (Thu, 04 Dec 2014)
New Revision: 2566
Modified:
branches/7.5.x/pom.xml
Log:
Web 7.5.2
Modified: branches/7.5.x/pom.xml
===================================================================
--- branches/7.5.x/pom.xml 2014-12-03 17:16:43 UTC (rev 2565)
+++ branches/7.5.x/pom.xml 2014-12-04 15:05:44 UTC (rev 2566)
@@ -33,7 +33,7 @@
<groupId>org.jboss.web</groupId>
<artifactId>jbossweb</artifactId>
- <version>7.5.1.Final</version>
+ <version>7.5.2.Final</version>
<name>JBoss Web</name>
<description>Servlet 3.0 container</description>
10 years
JBossWeb SVN: r2565 - in branches/7.5.x/src/main/java/org/apache/tomcat: util/net and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: jfclere
Date: 2014-12-03 12:16:43 -0500 (Wed, 03 Dec 2014)
New Revision: 2565
Modified:
branches/7.5.x/src/main/java/org/apache/tomcat/jni/SSL.java
branches/7.5.x/src/main/java/org/apache/tomcat/util/net/AprEndpoint.java
Log:
BZ1158847: Port patch filtering SSL protcols for native
Modified: branches/7.5.x/src/main/java/org/apache/tomcat/jni/SSL.java
===================================================================
--- branches/7.5.x/src/main/java/org/apache/tomcat/jni/SSL.java 2014-12-03 17:05:46 UTC (rev 2564)
+++ branches/7.5.x/src/main/java/org/apache/tomcat/jni/SSL.java 2014-12-03 17:16:43 UTC (rev 2565)
@@ -73,7 +73,9 @@
public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
- public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1);
+ public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
+ public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
+ public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2);
/*
* Define the SSL verify levels
Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/AprEndpoint.java
===================================================================
--- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/AprEndpoint.java 2014-12-03 17:05:46 UTC (rev 2564)
+++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/AprEndpoint.java 2014-12-03 17:16:43 UTC (rev 2565)
@@ -622,16 +622,34 @@
if (SSLEnabled) {
// SSL protocol
- int value = SSL.SSL_PROTOCOL_ALL;
- if ("SSLv2".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV2;
- } else if ("SSLv3".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV3;
- } else if ("TLSv1".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_TLSV1;
- } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3;
+ int value = SSL.SSL_PROTOCOL_NONE;
+ if (SSLProtocol == null || SSLProtocol.length() == 0) {
+ value = SSL.SSL_PROTOCOL_ALL;
+ } else {
+ String protocols = SSLProtocol.replace(',', '+');
+ for (String protocol : protocols.split("\\+")) {
+ protocol = protocol.trim();
+ if ("SSLv2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV2;
+ } else if ("SSLv3".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV3;
+ } else if ("TLSv1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_1;
+ } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_2;
+ } else if ("all".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_ALL;
+ } else {
+ // Protocol not recognized, fail to start as it is safer than
+ // continuing with the default which might enable more than the
+ // is required
+ CoyoteLogger.UTIL_LOGGER.unsupportedProtocol(protocol);
+ }
+ }
}
+
// Create SSL Context
sslContext = SSLContext.make(rootPool, value, (reverseConnection) ? SSL.SSL_MODE_CLIENT : SSL.SSL_MODE_SERVER);
// SSL renegociation
10 years
JBossWeb SVN: r2564 - branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2014-12-03 12:05:46 -0500 (Wed, 03 Dec 2014)
New Revision: 2564
Modified:
branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java
Log:
BZ1158852: Port patch filtering SSL protcols for JSSE. (part 2 for NIO2)
Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java
===================================================================
--- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java 2014-12-03 11:48:06 UTC (rev 2563)
+++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java 2014-12-03 17:05:46 UTC (rev 2564)
@@ -44,9 +44,12 @@
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
+import java.util.ArrayList;
import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
import java.util.Locale;
-import java.util.Vector;
+import java.util.Set;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
@@ -55,6 +58,7 @@
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
@@ -85,6 +89,8 @@
public class NioJSSESocketChannelFactory extends DefaultNioServerSocketChannelFactory {
private static final boolean RFC_5746_SUPPORTED;
+ public static final String[] DEFAULT_SERVER_PROTOCOLS;
+
// defaults
private static final String defaultProtocol = "TLS";
static boolean defaultClientAuth = false;
@@ -98,6 +104,7 @@
// private static SSLContext context;
static {
boolean result = false;
+ String[] protocols = null;
try {
SSLContext context = SSLContext.getInstance(defaultProtocol);
context.init(null, null, new SecureRandom());
@@ -109,12 +116,24 @@
break;
}
}
+ // There is no API to obtain the default server protocols and cipher
+ // suites. Having inspected the OpenJDK code there the same results
+ // can be achieved via the standard API but there is no guarantee
+ // that every JVM implementation determines the defaults the same
+ // way. Therefore the defaults are determined by creating a server
+ // socket and requested the configured values.
+ SSLServerSocket socket = (SSLServerSocket) ssf.createServerSocket();
+ // Filter out all the insecure protocols
+ protocols = filterInsecureProcotols(socket.getEnabledProtocols());
} catch (NoSuchAlgorithmException e) {
// Assume no RFC 5746 support
} catch (KeyManagementException e) {
// Assume no RFC 5746 support
+ } catch (IOException e) {
+ // Unable to determine default ciphers/protocols so use none
}
RFC_5746_SUPPORTED = result;
+ DEFAULT_SERVER_PROTOCOLS = protocols;
}
protected boolean initialized;
@@ -669,9 +688,11 @@
* the protocols to use.
*/
protected void setEnabledProtocols(SSLEngine engine, String[] protocols) {
- if (protocols != null) {
- engine.setEnabledProtocols(protocols);
- }
+ if (protocols == null) {
+ engine.setEnabledProtocols(DEFAULT_SERVER_PROTOCOLS);
+ } else {
+ engine.setEnabledProtocols(protocols);
+ }
}
/**
@@ -685,40 +706,31 @@
* @return Array of SSL protocol variants to be enabled, or null if none of
* the requested protocol variants are supported
*/
- protected String[] getEnabledProtocols(SSLEngine engine, String requestedProtocols) {
- String[] supportedProtocols = engine.getSupportedProtocols();
+ protected String[] getEnabledProtocols(SSLEngine engine,
+ String requestedProtocols){
+ Set<String> supportedProtocols = new HashSet<String>();
+ for (String supportedProtocol : engine.getSupportedProtocols()) {
+ supportedProtocols.add(supportedProtocol);
+ }
- String[] enabledProtocols = null;
+ if (requestedProtocols == null) {
+ return DEFAULT_SERVER_PROTOCOLS;
+ }
- if (requestedProtocols != null) {
- Vector<Object> vec = null;
- String tab[] = requestedProtocols.trim().split("\\s*,\\s*");
- if (tab.length > 0) {
- vec = new Vector<Object>(tab.length);
- }
- for (String s : tab) {
- if (s.length() > 0) {
- /*
- * Check to see if the requested protocol is among the
- * supported protocols, i.e., may be already enabled
- */
- for (int i = 0; supportedProtocols != null && i < supportedProtocols.length; i++) {
- if (supportedProtocols[i].equals(s)) {
- vec.addElement(s);
- break;
- }
- }
- }
- }
+ String[] requestedProtocolsArr = requestedProtocols.split(",");
+ List<String> enabledProtocols = new ArrayList<String>(requestedProtocolsArr.length);
- if (vec != null && !vec.isEmpty()) {
- enabledProtocols = new String[vec.size()];
- vec.copyInto(enabledProtocols);
- }
- }
+ for (String requestedProtocol : requestedProtocolsArr) {
+ String requestedProtocolTrim = requestedProtocol.trim();
+ if (supportedProtocols.contains(requestedProtocolTrim)) {
+ enabledProtocols.add(requestedProtocolTrim);
+ } else {
+ CoyoteLogger.UTIL_LOGGER.unsupportedProtocol(requestedProtocolTrim);
+ }
+ }
- return enabledProtocols;
- }
+ return enabledProtocols.toArray(new String[enabledProtocols.size()]);
+ }
/**
* Configure the given SSL server socket with the requested cipher suites,
@@ -734,7 +746,7 @@
engine.setUseClientMode(false);
String requestedProtocols = (String) attributes.get("protocols");
- setEnabledProtocols(engine, getEnabledProtocols(engine, requestedProtocols));
+ engine.setEnabledProtocols(getEnabledProtocols(engine, requestedProtocols));
// we don't know if client authentication is needed -
// after parsing the request we may re-handshake
@@ -785,4 +797,22 @@
}
}
+
+ public static String[] filterInsecureProcotols(String[] protocols) {
+ if (protocols == null) {
+ return null;
+ }
+
+ List<String> result = new ArrayList<String>(protocols.length);
+ for (String protocol : protocols) {
+ if (protocol == null || protocol.toUpperCase(Locale.ENGLISH).contains("SSL")) {
+ if (CoyoteLogger.UTIL_LOGGER.isDebugEnabled()) {
+ CoyoteLogger.UTIL_LOGGER.debug("Exclude protocol: " + protocol);
+ }
+ } else {
+ result.add(protocol);
+ }
+ }
+ return result.toArray(new String[result.size()]);
+ }
}
10 years
JBossWeb SVN: r2563 - in branches/7.5.x/src/main/java/org: jboss/web and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2014-12-03 06:48:06 -0500 (Wed, 03 Dec 2014)
New Revision: 2563
Modified:
branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
branches/7.5.x/src/main/java/org/jboss/web/CoyoteLogger.java
Log:
BZ1158852: Port patch filtering SSL protcols for JSSE.
Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
===================================================================
--- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2014-12-01 12:49:41 UTC (rev 2562)
+++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2014-12-03 11:48:06 UTC (rev 2563)
@@ -41,9 +41,12 @@
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
+import java.util.ArrayList;
import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
import java.util.Locale;
-import java.util.Vector;
+import java.util.Set;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
@@ -85,6 +88,8 @@
extends org.apache.tomcat.util.net.ServerSocketFactory {
private static final boolean RFC_5746_SUPPORTED;
+ public static final String[] DEFAULT_SERVER_PROTOCOLS;
+
// defaults
static String defaultProtocol = "TLS";
static boolean defaultClientAuth = false;
@@ -98,6 +103,7 @@
static {
boolean result = false;
SSLContext context;
+ String[] protocols = null;
try {
context = SSLContext.getInstance("TLS");
context.init(null, null, new SecureRandom());
@@ -109,12 +115,24 @@
break;
}
}
+ // There is no API to obtain the default server protocols and cipher
+ // suites. Having inspected the OpenJDK code there the same results
+ // can be achieved via the standard API but there is no guarantee
+ // that every JVM implementation determines the defaults the same
+ // way. Therefore the defaults are determined by creating a server
+ // socket and requested the configured values.
+ SSLServerSocket socket = (SSLServerSocket) ssf.createServerSocket();
+ // Filter out all the insecure protocols
+ protocols = filterInsecureProcotols(socket.getEnabledProtocols());
} catch (NoSuchAlgorithmException e) {
// Assume no RFC 5746 support
} catch (KeyManagementException e) {
// Assume no RFC 5746 support
+ } catch (IOException e) {
+ // Unable to determine default ciphers/protocols so use none
}
RFC_5746_SUPPORTED = result;
+ DEFAULT_SERVER_PROTOCOLS = protocols;
}
protected boolean initialized;
@@ -587,7 +605,9 @@
* @param protocols the protocols to use.
*/
protected void setEnabledProtocols(SSLServerSocket socket, String []protocols){
- if (protocols != null) {
+ if (protocols == null) {
+ socket.setEnabledProtocols(DEFAULT_SERVER_PROTOCOLS);
+ } else {
socket.setEnabledProtocols(protocols);
}
}
@@ -603,68 +623,29 @@
* the requested protocol variants are supported
*/
protected String[] getEnabledProtocols(SSLServerSocket socket,
- String requestedProtocols){
- String[] supportedProtocols = socket.getSupportedProtocols();
+ String requestedProtocols){
+ Set<String> supportedProtocols = new HashSet<String>();
+ for (String supportedProtocol : socket.getSupportedProtocols()) {
+ supportedProtocols.add(supportedProtocol);
+ }
- String[] enabledProtocols = null;
+ if (requestedProtocols == null) {
+ return DEFAULT_SERVER_PROTOCOLS;
+ }
- if (requestedProtocols != null) {
- Vector vec = null;
- String protocol = requestedProtocols;
- int index = requestedProtocols.indexOf(',');
- if (index != -1) {
- int fromIndex = 0;
- while (index != -1) {
- protocol = requestedProtocols.substring(fromIndex, index).trim();
- if (protocol.length() > 0) {
- /*
- * Check to see if the requested protocol is among the
- * supported protocols, i.e., may be enabled
- */
- for (int i=0; supportedProtocols != null
- && i<supportedProtocols.length; i++) {
- if (supportedProtocols[i].equals(protocol)) {
- if (vec == null) {
- vec = new Vector();
- }
- vec.addElement(protocol);
- break;
- }
- }
- }
- fromIndex = index+1;
- index = requestedProtocols.indexOf(',', fromIndex);
- } // while
- protocol = requestedProtocols.substring(fromIndex);
- }
+ String[] requestedProtocolsArr = requestedProtocols.split(",");
+ List<String> enabledProtocols = new ArrayList<String>(requestedProtocolsArr.length);
- if (protocol != null) {
- protocol = protocol.trim();
- if (protocol.length() > 0) {
- /*
- * Check to see if the requested protocol is among the
- * supported protocols, i.e., may be enabled
- */
- for (int i=0; supportedProtocols != null
- && i<supportedProtocols.length; i++) {
- if (supportedProtocols[i].equals(protocol)) {
- if (vec == null) {
- vec = new Vector();
- }
- vec.addElement(protocol);
- break;
- }
- }
- }
- }
-
- if (vec != null) {
- enabledProtocols = new String[vec.size()];
- vec.copyInto(enabledProtocols);
+ for (String requestedProtocol : requestedProtocolsArr) {
+ String requestedProtocolTrim = requestedProtocol.trim();
+ if (supportedProtocols.contains(requestedProtocolTrim)) {
+ enabledProtocols.add(requestedProtocolTrim);
+ } else {
+ CoyoteLogger.UTIL_LOGGER.unsupportedProtocol(requestedProtocolTrim);
}
}
- return enabledProtocols;
+ return enabledProtocols.toArray(new String[enabledProtocols.size()]);
}
/**
@@ -705,8 +686,7 @@
}
String requestedProtocols = (String) attributes.get("protocols");
- setEnabledProtocols(socket, getEnabledProtocols(socket,
- requestedProtocols));
+ socket.setEnabledProtocols(getEnabledProtocols(socket, requestedProtocols));
// we don't know if client auth is needed -
// after parsing the request we may re-handshake
@@ -755,4 +735,21 @@
}
+ public static String[] filterInsecureProcotols(String[] protocols) {
+ if (protocols == null) {
+ return null;
+ }
+
+ List<String> result = new ArrayList<String>(protocols.length);
+ for (String protocol : protocols) {
+ if (protocol == null || protocol.toUpperCase(Locale.ENGLISH).contains("SSL")) {
+ if (CoyoteLogger.UTIL_LOGGER.isDebugEnabled()) {
+ CoyoteLogger.UTIL_LOGGER.debug("Exclude protocol: " + protocol);
+ }
+ } else {
+ result.add(protocol);
+ }
+ }
+ return result.toArray(new String[result.size()]);
+ }
}
Modified: branches/7.5.x/src/main/java/org/jboss/web/CoyoteLogger.java
===================================================================
--- branches/7.5.x/src/main/java/org/jboss/web/CoyoteLogger.java 2014-12-01 12:49:41 UTC (rev 2562)
+++ branches/7.5.x/src/main/java/org/jboss/web/CoyoteLogger.java 2014-12-03 11:48:06 UTC (rev 2563)
@@ -518,4 +518,8 @@
@Message(id = 3105, value = "Socket accept failed")
void warnAcceptingSocket(@Cause Throwable exception);
+ @LogMessage(level = WARN)
+ @Message(id = 3106, value = "Unsupported protocol %s")
+ void unsupportedProtocol(String unsupportedProtocol);
+
}
10 years
JBossWeb SVN: r2562 - branches/7.4.x/src/main/java/org/jboss/web/rewrite.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2014-12-01 07:49:41 -0500 (Mon, 01 Dec 2014)
New Revision: 2562
Modified:
branches/7.4.x/src/main/java/org/jboss/web/rewrite/RewriteValve.java
Log:
BZ1158381: Port cookie flag.
Modified: branches/7.4.x/src/main/java/org/jboss/web/rewrite/RewriteValve.java
===================================================================
--- branches/7.4.x/src/main/java/org/jboss/web/rewrite/RewriteValve.java 2014-11-28 11:38:40 UTC (rev 2561)
+++ branches/7.4.x/src/main/java/org/jboss/web/rewrite/RewriteValve.java 2014-12-01 12:49:41 UTC (rev 2562)
@@ -622,12 +622,12 @@
protected static void parseRuleFlag(String line, RewriteRule rule, String flag) {
if (flag.equals("chain") || flag.equals("C")) {
rule.setChain(true);
- } else if (flag.startsWith("cookie=") || flag.startsWith("C=")) {
+ } else if (flag.startsWith("cookie=") || flag.startsWith("CO=")) {
rule.setCookie(true);
if (flag.startsWith("cookie")) {
flag = flag.substring("cookie=".length());
- } else if (flag.startsWith("C=")) {
- flag = flag.substring("C=".length());
+ } else if (flag.startsWith("CO=")) {
+ flag = flag.substring("CO=".length());
}
StringTokenizer tokenizer = new StringTokenizer(flag, ":");
if (tokenizer.countTokens() < 2) {
10 years