This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push: new ecc0c5f Don't warn that SSLv2Hello is unavailable unless explicitly configured ecc0c5f is described below commit ecc0c5f8dd3afd125daea4a9e944224ff275208a Author: Mark Thomas <ma...@apache.org> AuthorDate: Thu Apr 18 22:33:22 2019 +0100 Don't warn that SSLv2Hello is unavailable unless explicitly configured --- java/org/apache/tomcat/util/net/SSLUtilBase.java | 17 ++++++++++++----- java/org/apache/tomcat/util/net/jsse/JSSEUtil.java | 7 ------- .../org/apache/tomcat/util/net/openssl/OpenSSLUtil.java | 7 ------- webapps/docs/changelog.xml | 8 ++++++++ 4 files changed, 20 insertions(+), 19 deletions(-) diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java b/java/org/apache/tomcat/util/net/SSLUtilBase.java index dc2c52c..a20b5c5 100644 --- a/java/org/apache/tomcat/util/net/SSLUtilBase.java +++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java @@ -89,13 +89,21 @@ public abstract class SSLUtilBase implements SSLUtil { // Calculate the enabled protocols Set<String> configuredProtocols = sslHostConfig.getProtocols(); - if (!isTls13Available() && + Set<String> implementedProtocols = getImplementedProtocols(); + // If TLSv1.3 is not implemented and not explicitly requested we can + // ignore it. It is included in the defaults so it may be configured. + if (!implementedProtocols.contains(Constants.SSL_PROTO_TLSv1_3) && !sslHostConfig.isExplicitlyRequestedProtocol(Constants.SSL_PROTO_TLSv1_3)) { - // TLS 1.3 not implemented and not explicitly requested so ignore it - // if present configuredProtocols.remove(Constants.SSL_PROTO_TLSv1_3); } - Set<String> implementedProtocols = getImplementedProtocols(); + // Newer JREs are dropping support for SSLv2Hello. If it is not + // implemented and not explicitly requested we can ignore it. It is + // included in the defaults so it may be configured. + if (!implementedProtocols.contains(Constants.SSL_PROTO_SSLv2Hello) && + !sslHostConfig.isExplicitlyRequestedProtocol(Constants.SSL_PROTO_SSLv2Hello)) { + configuredProtocols.remove(Constants.SSL_PROTO_SSLv2Hello); + } + List<String> enabledProtocols = getEnabled("protocols", getLog(), warnTls13, configuredProtocols, implementedProtocols); if (enabledProtocols.contains("SSLv3")) { @@ -527,7 +535,6 @@ public abstract class SSLUtilBase implements SSLUtil { protected abstract Set<String> getImplementedProtocols(); protected abstract Set<String> getImplementedCiphers(); protected abstract Log getLog(); - protected abstract boolean isTls13Available(); protected abstract boolean isTls13RenegAuthAvailable(); protected abstract SSLContext createSSLContextInternal(List<String> negotiableProtocols) throws Exception; } diff --git a/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java b/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java index 235fc4b..c30dac2 100644 --- a/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java +++ b/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java @@ -27,7 +27,6 @@ import java.util.Set; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.compat.JreVendor; -import org.apache.tomcat.util.compat.TLS; import org.apache.tomcat.util.net.Constants; import org.apache.tomcat.util.net.SSLContext; import org.apache.tomcat.util.net.SSLHostConfigCertificate; @@ -134,12 +133,6 @@ public class JSSEUtil extends SSLUtilBase { @Override - protected boolean isTls13Available() { - return TLS.isTlsv13Available(); - } - - - @Override protected boolean isTls13RenegAuthAvailable() { // TLS 1.3 does not support authentication after the initial handshake return false; diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java index 74e115f..e8f0b9b 100644 --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java @@ -26,7 +26,6 @@ import javax.net.ssl.X509KeyManager; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; -import org.apache.tomcat.jni.SSL; import org.apache.tomcat.util.net.SSLContext; import org.apache.tomcat.util.net.SSLHostConfigCertificate; import org.apache.tomcat.util.net.SSLUtilBase; @@ -63,12 +62,6 @@ public class OpenSSLUtil extends SSLUtilBase { @Override - protected boolean isTls13Available() { - return SSL.version() >= 0x1010100f; - } - - - @Override protected boolean isTls13RenegAuthAvailable() { // OpenSSL does support authentication after the initial handshake return true; diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index b8a0685..7dc0c42 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -81,6 +81,14 @@ </scode> </changelog> </subsection> + <subsection name="Coyote"> + <changelog> + <fix> + When running on newer JREs that don't support SSLv2Hello, don't warn + that it is not available unless explicitly configured. (markt) + </fix> + </changelog> + </subsection> </section> <section name="Tomcat 8.5.40 (markt)" rtext="2019-04-12"> <subsection name="Catalina"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org