Author: jfclere
Date: 2014-12-03 12:16:43 -0500 (Wed, 03 Dec 2014)
New Revision: 2565
Modified:
branches/7.5.x/src/main/java/org/apache/tomcat/jni/SSL.java
branches/7.5.x/src/main/java/org/apache/tomcat/util/net/AprEndpoint.java
Log:
BZ1158847: Port patch filtering SSL protcols for native
Modified: branches/7.5.x/src/main/java/org/apache/tomcat/jni/SSL.java
===================================================================
--- branches/7.5.x/src/main/java/org/apache/tomcat/jni/SSL.java 2014-12-03 17:05:46 UTC
(rev 2564)
+++ branches/7.5.x/src/main/java/org/apache/tomcat/jni/SSL.java 2014-12-03 17:16:43 UTC
(rev 2565)
@@ -73,7 +73,9 @@
public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
- public static final int SSL_PROTOCOL_ALL =
(SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1);
+ public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
+ public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
+ public static final int SSL_PROTOCOL_ALL =
(SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2);
/*
* Define the SSL verify levels
Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/AprEndpoint.java
===================================================================
--- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/AprEndpoint.java 2014-12-03
17:05:46 UTC (rev 2564)
+++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/AprEndpoint.java 2014-12-03
17:16:43 UTC (rev 2565)
@@ -622,16 +622,34 @@
if (SSLEnabled) {
// SSL protocol
- int value = SSL.SSL_PROTOCOL_ALL;
- if ("SSLv2".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV2;
- } else if ("SSLv3".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV3;
- } else if ("TLSv1".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_TLSV1;
- } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) {
- value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3;
+ int value = SSL.SSL_PROTOCOL_NONE;
+ if (SSLProtocol == null || SSLProtocol.length() == 0) {
+ value = SSL.SSL_PROTOCOL_ALL;
+ } else {
+ String protocols = SSLProtocol.replace(',', '+');
+ for (String protocol : protocols.split("\\+")) {
+ protocol = protocol.trim();
+ if ("SSLv2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV2;
+ } else if ("SSLv3".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV3;
+ } else if ("TLSv1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_1;
+ } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_2;
+ } else if ("all".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_ALL;
+ } else {
+ // Protocol not recognized, fail to start as it is safer than
+ // continuing with the default which might enable more than the
+ // is required
+ CoyoteLogger.UTIL_LOGGER.unsupportedProtocol(protocol);
+ }
+ }
}
+
// Create SSL Context
sslContext = SSLContext.make(rootPool, value, (reverseConnection) ?
SSL.SSL_MODE_CLIENT : SSL.SSL_MODE_SERVER);
// SSL renegociation
Show replies by date