Author: markt Date: Tue Dec 23 10:09:03 2014 New Revision: 1647530 URL: http://svn.apache.org/r1647530 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57391 Allow TLS Session Tickets to be disabled. Patch provided by Josiah Purtlebaugh.
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties tomcat/trunk/webapps/docs/config/http.xml Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1647530&r1=1647529&r2=1647530&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Tue Dec 23 10:09:03 2014 @@ -183,6 +183,13 @@ public class Http11AprProtocol extends A public boolean getSSLDisableCompression() { return ((AprEndpoint)getEndpoint()).getSSLDisableCompression(); } public void setSSLDisableCompression(boolean disable) { ((AprEndpoint)getEndpoint()).setSSLDisableCompression(disable); } + /** + * Disable TLS Session Tickets (RFC 4507). + */ + public boolean getSSLDisableSessionTickets() { return ((AprEndpoint)getEndpoint()).getSSLDisableSessionTickets(); } + public void setSSLDisableSessionTickets(boolean enable) { ((AprEndpoint)getEndpoint()).setSSLDisableSessionTickets(enable); } + + // ----------------------------------------------------- JMX related methods @Override Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1647530&r1=1647529&r2=1647530&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Dec 23 10:09:03 2014 @@ -271,6 +271,12 @@ public class AprEndpoint extends Abstrac public String getSSLCARevocationFile() { return SSLCARevocationFile; } public void setSSLCARevocationFile(String SSLCARevocationFile) { this.SSLCARevocationFile = SSLCARevocationFile; } + /** + * SSL disable TLS Session Tickets (RFC 4507). + */ + protected boolean SSLDisableSessionTickets = false; + public boolean getSSLDisableSessionTickets() { return SSLDisableSessionTickets; } + public void setSSLDisableSessionTickets(boolean SSLDisableSessionTickets) { this.SSLDisableSessionTickets = SSLDisableSessionTickets; } /** * SSL verify client. @@ -575,6 +581,24 @@ public class AprEndpoint extends Abstrac SSL.versionString())); } } + + // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy + if (SSLDisableSessionTickets) { + boolean disableSessionTicketsSupported = false; + try { + disableSessionTicketsSupported = SSL.hasOp(SSL.SSL_OP_NO_TICKET); + if (disableSessionTicketsSupported) + SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_TICKET); + } catch (UnsatisfiedLinkError e) { + // Ignore + } + + if (!disableSessionTicketsSupported) { + // OpenSSL is too old to support TLS Session Tickets. + log.warn(sm.getString("endpoint.warn.noDisableSessionTickets", + SSL.versionString())); + } + } // List the ciphers that the client is permitted to negotiate SSLContext.setCipherSuite(sslContext, SSLCipherSuite); Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1647530&r1=1647529&r2=1647530&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Tue Dec 23 10:09:03 2014 @@ -19,6 +19,7 @@ endpoint.err.handshake=Handshake failed endpoint.err.unexpected=Unexpected error processing socket endpoint.warn.noExector=Failed to process socket [{0}] in state [{1}] because the executor had already been shutdown endpoint.warn.noDisableCompression='Disable compression' option is not supported by the SSL library {0} +endpoint.warn.noDisableSessionTickets='Disable TLS Session Tickets' option is not supported by the SSL library {0} endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported by the SSL library {0} endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the SSL library {0} endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock. Forcing hard socket shutdown. Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1647530&r1=1647529&r2=1647530&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Tue Dec 23 10:09:03 2014 @@ -1348,6 +1348,11 @@ "10".</p> </attribute> + <attribute name="SSLDisableSessionTickets" required="false"> + <p>Disables use of TLS Session Tickets (RFC 4507) if set to + <code>true</code>. Default is <code>false</code>.</p> + </attribute> + </attributes> </subsection> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org