JBossWeb SVN: r1420 - in trunk/java/org/apache: tomcat/jni and 2 other directories. - jbossweb-commits

Thursday, 25 March 2010

Author: remy.maucherat(a)jboss.com
Date: 2010-03-25 13:17:13 -0400 (Thu, 25 Mar 2010)
New Revision: 1420

Modified:
   trunk/java/org/apache/catalina/core/AprLifecycleListener.java
   trunk/java/org/apache/tomcat/jni/SSL.java
   trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
   trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
Log:
- Port SSL renegotiation option.

Modified: trunk/java/org/apache/catalina/core/AprLifecycleListener.java
===================================================================

--- trunk/java/org/apache/catalina/core/AprLifecycleListener.java	2010-03-25 02:48:03 UTC
(rev 1419)
+++ trunk/java/org/apache/catalina/core/AprLifecycleListener.java	2010-03-25 17:17:13 UTC
(rev 1420)
@@ -58,7 +58,7 @@
     protected static final int TCN_REQUIRED_MAJOR = 1;
     protected static final int TCN_REQUIRED_MINOR = 1;
     protected static final int TCN_REQUIRED_PATCH = 8;
-    protected static final int TCN_RECOMMENDED_PV = 17;
+    protected static final int TCN_RECOMMENDED_PV = 21;
 
 
     // ---------------------------------------------- Properties

Modified: trunk/java/org/apache/tomcat/jni/SSL.java
===================================================================
--- trunk/java/org/apache/tomcat/jni/SSL.java	2010-03-25 02:48:03 UTC (rev 1419)
+++ trunk/java/org/apache/tomcat/jni/SSL.java	2010-03-25 17:17:13 UTC (rev 1420)
@@ -116,6 +116,10 @@
 
     /* As server, disallow session resumption on renegotiation */
     public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00010000;
+    /* Permit unsafe legacy renegotiation */
+    public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      = 0x00040000;
+    /* If set, always create a new key when using tmp_eddh parameters */
+    public static final int SSL_OP_SINGLE_ECDH_USE                  = 0x00080000;
     /* If set, always create a new key when using tmp_dh parameters */
     public static final int SSL_OP_SINGLE_DH_USE                    = 0x00100000;
     /* Set to always use the tmp_rsa key when doing RSA operations,
@@ -323,4 +327,16 @@
      * Return last SSL error string
      */
     public static native String getLastError();
+
+    /**
+     * Return true if SSL_OP_ if defined.
+     * <p>
+     * Currently used for testing weather the
+     * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is supported by OpenSSL.
+     * <p>
+     * @param op SSL_OP to test.
+     * @return true if SSL_OP is supported by OpenSSL library.
+     */
+    public static native boolean hasOp(int op);
+
 }

Modified: trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
===================================================================
--- trunk/java/org/apache/tomcat/util/net/AprEndpoint.java	2010-03-25 02:48:03 UTC (rev
1419)
+++ trunk/java/org/apache/tomcat/util/net/AprEndpoint.java	2010-03-25 17:17:13 UTC (rev
1420)
@@ -469,6 +469,14 @@
     public void setSSLVerifyDepth(int SSLVerifyDepth) { this.SSLVerifyDepth =
SSLVerifyDepth; }
 
 
+    /**
+     * SSL allow insecure renegotiation for the the client that does not
+     * support the secure renegotiation.
+     */
+    protected boolean SSLInsecureRenegotiation = false;
+    public void setSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation) {
this.SSLInsecureRenegotiation = SSLInsecureRenegotiation; }
+    public boolean getSSLInsecureRenegotiation() { return SSLInsecureRenegotiation; }
+
     // --------------------------------------------------------- Public Methods
 
 
@@ -636,6 +644,16 @@
             }
             // Create SSL Context
             sslContext = SSLContext.make(rootPool, value, (reverseConnection) ?
SSL.SSL_MODE_CLIENT : SSL.SSL_MODE_SERVER);
+            // SSL renegociation
+            if (SSLInsecureRenegotiation) {
+                if (SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                    SSLContext.setOptions(sslContext,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+                else {
+                    // OpenSSL does not support unsafe legacy renegotiation.
+                    log.warn(sm.getString("endpoint.warn.noInsecureReneg",
+                                          SSL.versionString()));
+                }
+            }
             // List the ciphers that the client is permitted to negotiate
             SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
             // Load Server key and certificate

Modified: trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
===================================================================
--- trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties	2010-03-25 02:48:03
UTC (rev 1419)
+++ trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties	2010-03-25 17:17:13
UTC (rev 1420)
@@ -26,3 +26,4 @@
 endpoint.sendfile.error=Unexpected sendfile error
 endpoint.sendfile.addfail=Sendfile failure: [{0}] {1}
 endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version or the
system doesn't support it
+endpoint.warn.noInsecureReneg=Secure renegotation is not supported by the SSL library
{0}


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

JBossWeb SVN: r1420 - in trunk/java/org/apache: tomcat/jni and 2 other directories.