Author: schultz
Date: Thu Jan 17 20:03:00 2013
New Revision: 1434882
URL: http://svn.apache.org/viewvc?rev=1434882&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
Allow APR connector to disable TLS compression if OpenSSL supports it.
Modified:
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1434882&r1=1434881&r2=1434882&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu Jan
17 20:03:00 2013
@@ -188,6 +188,12 @@ public class Http11AprProtocol extends A
public int getSSLVerifyDepth() { return
((AprEndpoint)endpoint).getSSLVerifyDepth(); }
public void setSSLVerifyDepth(int SSLVerifyDepth) {
((AprEndpoint)endpoint).setSSLVerifyDepth(SSLVerifyDepth); }
+ /**
+ * Disable SSL compression.
+ */
+ public boolean getSSLDisableCompression() { return
((AprEndpoint)endpoint).getSSLDisableCompression(); }
+ public void setSSLDisableCompression(boolean disable) {
((AprEndpoint)endpoint).setSSLDisableCompression(disable); }
+
// ----------------------------------------------------- JMX related
methods
@Override
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1434882&r1=1434881&r2=1434882&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Thu Jan 17 20:03:00 2013
@@ -113,6 +113,8 @@ public final class SSL {
public static final int SSL_OP_ALL =
0x00000FFF;
/* As server, disallow session resumption on renegotiation */
public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION =
0x00010000;
+ /* Don't use compression even if supported */
+ public static final int SSL_OP_NO_COMPRESSION =
0x00020000;
/* Permit unsafe legacy renegotiation */
public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION =
0x00040000;
/* If set, always create a new key when using tmp_eddh parameters */
@@ -338,15 +340,16 @@ public final class SSL {
public static native String getLastError();
/**
- * Return true if SSL_OP_ if defined.
- * <p>
- * Currently used for testing weather the
- * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is supported by OpenSSL.
- * <p>
- * @param op SSL_OP to test.
- * @return true if SSL_OP is supported by OpenSSL library.
+ * Return true if all the requested SSL_OP_* are supported by OpenSSL.
+ *
+ * <i>Note that for versions of tcnative < 1.1.25, this method will
+ * return <code>true</code> if and only if <code>op</code>=
+ * {@link #SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION} and tcnative
+ * supports that flag.</i>
+ *
+ * @param Bitwise-OR of all SSL_OP_* to test.
+ *
+ * @return true if all SSL_OP_* are supported by OpenSSL library.
*/
public static native boolean hasOp(int op);
-
}
-
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1434882&r1=1434881&r2=1434882&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Jan 17
20:03:00 2013
@@ -308,6 +308,19 @@ public class AprEndpoint extends Abstrac
public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) {
this.SSLHonorCipherOrder = SSLHonorCipherOrder; }
public boolean getSSLHonorCipherOrder() { return SSLHonorCipherOrder; }
+ /**
+ * Disables compression of the SSL stream. This thwarts CRIME attack
+ * and possibly improves performance by not compressing uncompressible
+ * content such as JPEG, etc.
+ */
+ protected boolean SSLDisableCompression = false;
+
+ /**
+ * Set to <code>true</code> to disable SSL compression. This thwarts CRIME
+ * attack.
+ */
+ public void setSSLDisableCompression(boolean SSLDisableCompression) {
this.SSLDisableCompression = SSLDisableCompression; }
+ public boolean getSSLDisableCompression() { return SSLDisableCompression; }
/**
* Port in use.
@@ -511,6 +524,23 @@ public class AprEndpoint extends Abstrac
}
}
+ // Disable compression if requested
+ if (SSLDisableCompression) {
+ boolean disableCompressionSupported = false;
+ try {
+ disableCompressionSupported =
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
+ if (disableCompressionSupported)
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_NO_COMPRESSION);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!disableCompressionSupported) {
+ // OpenSSL does not support ciphers ordering.
+ log.warn(sm.getString("endpoint.warn.noDisableCompression",
+ SSL.versionString()));
+ }
+ }
+
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
// Load Server key and certificate
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1434882&r1=1434881&r2=1434882&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
Thu Jan 17 20:03:00 2013
@@ -18,6 +18,7 @@ endpoint.err.close=Caught exception tryi
endpoint.err.handshake=Handshake failed
endpoint.err.unexpected=Unexpected error processing socket
endpoint.warn.noExector=Failed to process socket [{0}] in state [{1}] because
the executor had already been shutdown
+endpoint.warn.noDisableCompression='Disable compression' option is not
supported by the SSL library {0}
endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported
by the SSL library {0}
endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the
SSL library {0}
endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock.
Forcing hard socket shutdown.
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1434882&r1=1434881&r2=1434882&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu Jan 17 20:03:00 2013
@@ -1201,6 +1201,12 @@
supported).</p>
</attribute>
+ <attribute name="SSLDisableCompression" required="false">
+ <p>Disables compression if set to <code>true</code> and OpenSSL supports
+ disabling comprssion. Default is <code>false</code> which inherits the
+ default compression setting in OpenSSL.</p>
+ </attribute>
+
<attribute name="SSLHonorCipherOrder" required="false">
<p>Set to <code>true</code> to enforce the server's cipher order
(from the <code>SSLCipherSuite</code> setting) instead of allowing
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
