http.xml

markt Thu, 30 Apr 2015 14:34:04 -0700

Author: markt
Date: Thu Apr 30 21:33:27 2015
New Revision: 1677080

URL: http://svn.apache.org/r1677080
Log:
Make cipher suite order significant (expressing preference) for JSSE to align 
with OpenSSL.


Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
    tomcat/trunk/webapps/docs/config/http.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1677080&r1=1677079&r2=1677080&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Thu Apr 
30 21:33:27 2015
@@ -1006,10 +1006,6 @@ public abstract class AbstractEndpoint<S
         ciphers = s;
     }
 
-    private String useServerCipherSuitesOrder = "false";
-    public String getUseServerCipherSuitesOrder() { return 
useServerCipherSuitesOrder;}
-    public void setUseServerCipherSuitesOrder(String s) { 
this.useServerCipherSuitesOrder = s;}
-
     private String keyAlias = null;
     public String getKeyAlias() { return keyAlias;}
     public void setKeyAlias(String s ) { keyAlias = s;}

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1677080&r1=1677079&r2=1677080&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Thu 
Apr 30 21:33:27 2015
@@ -98,7 +98,12 @@ public abstract class AbstractJsseEndpoi
         engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
         engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());
 
-        configureUseServerCipherSuitesOrder(engine);
+        // Force server cipher suite order to be honored
+        SSLParameters sslParameters = engine.getSSLParameters();
+        sslParameters.setUseCipherSuitesOrder(true);
+        // Following line may not be required. Depends if JRE takes a defensive
+        // copy. Keep the line to avoid any possible issues.
+        engine.setSSLParameters(sslParameters);
 
         return engine;
     }
@@ -112,24 +117,6 @@ public abstract class AbstractJsseEndpoi
     }
 
 
-    /**
-     * Configures SSLEngine to honor cipher suites ordering based upon
-     * endpoint configuration.
-     */
-    private void configureUseServerCipherSuitesOrder(SSLEngine engine) {
-        String useServerCipherSuitesOrderStr = this
-                .getUseServerCipherSuitesOrder().trim();
-
-        SSLParameters sslParameters = engine.getSSLParameters();
-        boolean useServerCipherSuitesOrder =
-            ("true".equalsIgnoreCase(useServerCipherSuitesOrderStr)
-                || "yes".equalsIgnoreCase(useServerCipherSuitesOrderStr));
-
-        sslParameters.setUseCipherSuitesOrder(useServerCipherSuitesOrder);
-        engine.setSSLParameters(sslParameters);
-    }
-
-
     private KeyManager[] wrap(KeyManager[] managers) {
         if (managers==null) return null;
         KeyManager[] result = new KeyManager[managers.length];

Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1677080&r1=1677079&r2=1677080&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu Apr 30 21:33:27 2015
@@ -1158,8 +1158,8 @@
       branch.</p>
       <p>If not specified, a default (using the OpenSSL notation) of
       <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5</code> will be used.</p>
-      <p>Note that Java does not treat the order in which ciphers are defined 
as
-      an order of preference. See <code>useServerCipherSuitesOrder</code>.</p>
+      <p>Note that JSSE based connectors will always be configured to treat the
+      order in which ciphers are defined as an order of preference.</p>
     </attribute>
 
     <attribute name="clientAuth" required="false">
@@ -1318,15 +1318,6 @@
       the default.</p>
      </attribute>
 
-    <attribute name="useServerCipherSuitesOrder" required="false">
-      <p>
-        Set to <code>true</code> to enforce the server's cipher order
-        (from the <code>ciphers</code> setting). Set to <code>false</code>
-        to choose the first acceptable cipher suite presented by the client.
-        Default is <code>false</code>.
-      </p>
-    </attribute>
-
   </attributes>
 
   </subsection>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1677080 - in /tomcat/trunk: java/org/apache/tomcat/util/net/AbstractEndpoint.java java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java webapps/docs/config/http.xml

Reply via email to