Author: schultz
Date: Thu Aug 9 16:27:55 2012
New Revision: 1371298
URL: http://svn.apache.org/viewvc?rev=1371298&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
Added support for SSL_OP_CIPHER_SERVER_PREFERENCE / SSLHonorCipherOrder.
Added:
tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt (with props)
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1371283
Added: tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt?rev=1371298&view=auto
==============================================================================
--- tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt (added)
+++ tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt Thu Aug 9 16:27:55 2012
@@ -0,0 +1,41 @@
+================================================================================
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+================================================================================
+
+Notes of things to consider for the next major Tomcat release (probably 8.0.x
+but possibly 7.1.x).
+
+1. Refactor the TLD parsing. TLDs are currently parsed twice. Once by Catalina
+ looking for listeners and once by Jasper.
+
+2. Refactor the XML parsing (org.apache.tomcat.util.xml ?) to remove duplicate
+ XML parsing code in Catalina and Jasper such as the entity resolvers used
for
+ validation.
+
+3. TLDs may have a many to many relationship between URIs and TLD files. This
+ can result in the same TLD file being parsed many times. Refactor the
+ TldLocationCache to cache the parsed nodes (will need to check for changes
to
+ TLD files).
+
+4. TLD files should be included in the dependencies for JSP and Tag files.
+
+5. Run the unused code detector and remove everything that isn't currently
used.
+ Add deprecation markers for the removed code to Tomcat 7.0.x
+
+6. Change the default URIEncoding on the connector to UTF-8.
+
+7. Rip out all the JNDI code in resource handling and replace it with straight
+ URLs (File or WAR).
\ No newline at end of file
Propchange: tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt
------------------------------------------------------------------------------
svn:eol-style = native
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1371298&r1=1371297&r2=1371298&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
Thu Aug 9 16:27:55 2012
@@ -118,6 +118,17 @@ public class Http11AprProtocol extends A
/**
+ * SSL honor cipher order.
+ *
+ * Set to <code>true</code> to enforce the <i>server's</i> cipher order
+ * instead of the default which is to allow the client to choose a
+ * preferred cipher.
+ */
+ public boolean getSSLHonorCipherOrder() { return
((AprEndpoint)endpoint).getSSLHonorCipherOrder(); }
+ public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) {
((AprEndpoint)endpoint).setSSLHonorCipherOrder(SSLHonorCipherOrder); }
+
+
+ /**
* SSL certificate file.
*/
public String getSSLCertificateFile() { return
((AprEndpoint)endpoint).getSSLCertificateFile(); }
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1371298&r1=1371297&r2=1371298&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu
Aug 9 16:27:55 2012
@@ -317,6 +317,15 @@ public class AprEndpoint extends Abstrac
public void setSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation)
{ this.SSLInsecureRenegotiation = SSLInsecureRenegotiation; }
public boolean getSSLInsecureRenegotiation() { return
SSLInsecureRenegotiation; }
+ protected boolean SSLHonorCipherOrder = false;
+ /**
+ * Set to <code>true</code> to enforce the <i>server's</i> cipher order
+ * instead of the default which is to allow the client to choose a
+ * preferred cipher.
+ */
+ public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) {
this.SSLHonorCipherOrder = SSLHonorCipherOrder; }
+ public boolean getSSLHonorCipherOrder() { return SSLHonorCipherOrder; }
+
/**
* Port in use.
@@ -526,6 +535,24 @@ public class AprEndpoint extends Abstrac
SSL.versionString()));
}
}
+
+ // Set cipher order: client (default) or server
+ if (SSLHonorCipherOrder) {
+ boolean orderCiphersSupported = false;
+ try {
+ orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ if (orderCiphersSupported)
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!orderCiphersSupported) {
+ // OpenSSL does not support ciphers ordering.
+ log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
+ SSL.versionString()));
+ }
+ }
+
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
// Load Server key and certificate
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1371298&r1=1371297&r2=1371298&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
Thu Aug 9 16:27:55 2012
@@ -41,8 +41,10 @@ endpoint.process.fail=Error allocating s
endpoint.sendfile.error=Unexpected sendfile error
endpoint.sendfile.addfail=Sendfile failure: [{0}] {1}
endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version
or the system doesn't support it
-endpoint.warn.noInsecureReneg=Secure renegotation is not supported by the SSL
library {0}
+endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the
SSL library {0}
+endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported
by the SSL library {0}
endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock.
Forcing hard socket shutdown.
+endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported
by the SSL library {0}
endpoint.debug.channelCloseFail=Failed to close channel
endpoint.debug.socketCloseFail=Failed to close socket
endpoint.apr.noSslCertFile=Connector attribute SSLCertificateFile must be
defined when using SSL with APR
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1371298&r1=1371297&r2=1371298&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Aug 9 16:27:55 2012
@@ -70,6 +70,11 @@
<code>IllegalArgumentException</code> was thrown. (markt)
</fix>
<fix>
+ <bug>53481</bug>: Added support for SSLHonorCipherOrder to allow
+ the server to impose its cipher order on the client. Based on a patch
+ provided by Marcel Å ebek. (schultz)
+ </fix>
+ <fix>
<bug>53498</bug>: Fix atomicity bugs in use of concurrent collections.
Based on a patch by Yu Lin. (markt)
</fix>
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1371298&r1=1371297&r2=1371298&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Thu Aug 9 16:27:55 2012
@@ -1177,6 +1177,12 @@
supported).</p>
</attribute>
+ <attribute name="SSLHonorCipherOrder" required="false">
+ <p>Set to <code>true</code> to enforce the server's cipher order
+ (from the <code>SSLCipherSuite</code> setting) instead of allowing
+ the client to choose the cipher (which is the default).</p>
+ </attribute>
+
<attribute name="SSLPassword" required="false">
<p>Pass phrase for the encrypted private key. If "SSLPassword" is not
provided, the callback function should prompt for the pass phrase.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
