Author: markt
Date: Tue Dec 23 10:09:03 2014
New Revision: 1647530
URL: http://svn.apache.org/r1647530
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57391
Allow TLS Session Tickets to be disabled.
Patch provided by Josiah Purtlebaugh.
Modified:
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1647530&r1=1647529&r2=1647530&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Tue Dec
23 10:09:03 2014
@@ -183,6 +183,13 @@ public class Http11AprProtocol extends A
public boolean getSSLDisableCompression() { return
((AprEndpoint)getEndpoint()).getSSLDisableCompression(); }
public void setSSLDisableCompression(boolean disable) {
((AprEndpoint)getEndpoint()).setSSLDisableCompression(disable); }
+ /**
+ * Disable TLS Session Tickets (RFC 4507).
+ */
+ public boolean getSSLDisableSessionTickets() { return
((AprEndpoint)getEndpoint()).getSSLDisableSessionTickets(); }
+ public void setSSLDisableSessionTickets(boolean enable) {
((AprEndpoint)getEndpoint()).setSSLDisableSessionTickets(enable); }
+
+
// ----------------------------------------------------- JMX related
methods
@Override
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1647530&r1=1647529&r2=1647530&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Dec 23
10:09:03 2014
@@ -271,6 +271,12 @@ public class AprEndpoint extends Abstrac
public String getSSLCARevocationFile() { return SSLCARevocationFile; }
public void setSSLCARevocationFile(String SSLCARevocationFile) {
this.SSLCARevocationFile = SSLCARevocationFile; }
+ /**
+ * SSL disable TLS Session Tickets (RFC 4507).
+ */
+ protected boolean SSLDisableSessionTickets = false;
+ public boolean getSSLDisableSessionTickets() { return
SSLDisableSessionTickets; }
+ public void setSSLDisableSessionTickets(boolean SSLDisableSessionTickets)
{ this.SSLDisableSessionTickets = SSLDisableSessionTickets; }
/**
* SSL verify client.
@@ -575,6 +581,24 @@ public class AprEndpoint extends Abstrac
SSL.versionString()));
}
}
+
+ // Disable TLS Session Tickets (RFC4507) to protect perfect
forward secrecy
+ if (SSLDisableSessionTickets) {
+ boolean disableSessionTicketsSupported = false;
+ try {
+ disableSessionTicketsSupported =
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
+ if (disableSessionTicketsSupported)
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_NO_TICKET);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+
+ if (!disableSessionTicketsSupported) {
+ // OpenSSL is too old to support TLS Session Tickets.
+
log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
+ SSL.versionString()));
+ }
+ }
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1647530&r1=1647529&r2=1647530&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Tue
Dec 23 10:09:03 2014
@@ -19,6 +19,7 @@ endpoint.err.handshake=Handshake failed
endpoint.err.unexpected=Unexpected error processing socket
endpoint.warn.noExector=Failed to process socket [{0}] in state [{1}] because
the executor had already been shutdown
endpoint.warn.noDisableCompression='Disable compression' option is not
supported by the SSL library {0}
+endpoint.warn.noDisableSessionTickets='Disable TLS Session Tickets' option is
not supported by the SSL library {0}
endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported
by the SSL library {0}
endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the
SSL library {0}
endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock.
Forcing hard socket shutdown.
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1647530&r1=1647529&r2=1647530&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Tue Dec 23 10:09:03 2014
@@ -1348,6 +1348,11 @@
"10".</p>
</attribute>
+ <attribute name="SSLDisableSessionTickets" required="false">
+ <p>Disables use of TLS Session Tickets (RFC 4507) if set to
+ <code>true</code>. Default is <code>false</code>.</p>
+ </attribute>
+
</attributes>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
