Author: rjung
Date: Tue May 26 14:59:04 2015
New Revision: 1681770
URL: http://svn.apache.org/r1681770
Log:
Use constants for SSL/TLS protocol names
to reduce chances of fatal consequences of
string typos.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/Constants.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1681770&r1=1681769&r2=1681770&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue May 26
14:59:04 2015
@@ -378,19 +378,19 @@ public class AprEndpoint extends Abstrac
value = SSL.SSL_PROTOCOL_ALL;
} else {
for (String protocol : sslHostConfig.getProtocols()) {
- if ("SSLv2Hello".equalsIgnoreCase(protocol)) {
+ if
(Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) {
// NO-OP. OpenSSL always supports SSLv2Hello
- } else if ("SSLv2".equalsIgnoreCase(protocol)) {
+ } else if
(Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_SSLV2;
- } else if ("SSLv3".equalsIgnoreCase(protocol)) {
+ } else if
(Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_SSLV3;
- } else if ("TLSv1".equalsIgnoreCase(protocol)) {
+ } else if
(Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_TLSV1;
- } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
+ } else if
(Constants.SSL_PROTO_TLSv1_1.equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_TLSV1_1;
- } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
+ } else if
(Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_TLSV1_2;
- } else if ("all".equalsIgnoreCase(protocol)) {
+ } else if
(Constants.SSL_PROTO_ALL.equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_ALL;
} else {
// Protocol not recognized, fail to start as it is
safer than
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/Constants.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/Constants.java?rev=1681770&r1=1681769&r2=1681770&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/Constants.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/Constants.java Tue May 26
14:59:04 2015
@@ -23,4 +23,16 @@ public class Constants {
* the tomcat instance installation path
*/
public static final String CATALINA_BASE_PROP = "catalina.base";
+
+ /**
+ * JSSE and OpenSSL protocol names
+ */
+ public static final String SSL_PROTO_ALL = "all";
+ public static final String SSL_PROTO_TLS = "TLS";
+ public static final String SSL_PROTO_TLSv1_2 = "TLSv1.2";
+ public static final String SSL_PROTO_TLSv1_1 = "TLSv1.1";
+ public static final String SSL_PROTO_TLSv1 = "TLSv1";
+ public static final String SSL_PROTO_SSLv3 = "SSLv3";
+ public static final String SSL_PROTO_SSLv2 = "SSLv2";
+ public static final String SSL_PROTO_SSLv2Hello = "SSLv2Hello";
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1681770&r1=1681769&r2=1681770&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue May 26
14:59:04 2015
@@ -66,7 +66,7 @@ public class SSLHostConfig {
private String keyManagerAlgorithm =
KeyManagerFactory.getDefaultAlgorithm();
private int sessionCacheSize = 0;
private int sessionTimeout = 86400;
- private String sslProtocol = "TLS";
+ private String sslProtocol = Constants.SSL_PROTO_TLS;
private String trustManagerClassName;
private String truststoreAlgorithm =
TrustManagerFactory.getDefaultAlgorithm();
private String truststoreFile =
System.getProperty("javax.net.ssl.trustStore");
@@ -86,7 +86,7 @@ public class SSLHostConfig {
public SSLHostConfig() {
// Set defaults that can't be (easily) set when defining the fields.
- setProtocols("all");
+ setProtocols(Constants.SSL_PROTO_ALL);
// Configure fall-back defaults if system property is not set.
if (certificateKeystoreType == null) {
certificateKeystoreType = "JKS";
@@ -238,11 +238,11 @@ public class SSLHostConfig {
for (String value: values) {
String trimmed = value.trim();
if (trimmed.length() > 0) {
- if (input.trim().equalsIgnoreCase("all")) {
- protocols.add("SSLv2Hello");
- protocols.add("TLSv1");
- protocols.add("TLSv1.1");
- protocols.add("TLSv1.2");
+ if (input.trim().equalsIgnoreCase(Constants.SSL_PROTO_ALL)) {
+ protocols.add(Constants.SSL_PROTO_SSLv2Hello);
+ protocols.add(Constants.SSL_PROTO_TLSv1);
+ protocols.add(Constants.SSL_PROTO_TLSv1_1);
+ protocols.add(Constants.SSL_PROTO_TLSv1_2);
} else {
protocols.add(trimmed);
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1681770&r1=1681769&r2=1681770&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
Tue May 26 14:59:04 2015
@@ -31,6 +31,7 @@ import java.util.Set;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -227,22 +228,6 @@ public class OpenSSLCipherConfigurationP
*/
private static final String FZA = "FZA";
/**
- * TLS v1.2 cipher suites. Note: there are no cipher suites specific to
TLS v1.1.
- */
- private static final String TLSv1_2 = "TLSv1.2";
- /**
- * TLS v1.0 cipher suites.
- */
- private static final String TLSv1 = "TLSv1";
- /**
- * SSL v2.0 cipher suites.
- */
- private static final String SSLv2 = "SSLv2";
- /**
- * SSL v3.0 cipher suites.
- */
- private static final String SSLv3 = "SSLv3";
- /**
* Cipher suites using DH, including anonymous DH, ephemeral DH and fixed
DH.
*/
private static final String DH = "DH";
@@ -449,11 +434,11 @@ public class OpenSSLCipherConfigurationP
addListAlias(aFZA, filterByAuthentication(allCiphers,
Collections.singleton(Authentication.FZA)));
addListAlias(eFZA, filterByEncryption(allCiphers,
Collections.singleton(Encryption.FZA)));
addListAlias(FZA, filter(allCiphers, null,
Collections.singleton(KeyExchange.FZA),
Collections.singleton(Authentication.FZA),
Collections.singleton(Encryption.FZA), null, null));
- addListAlias(TLSv1_2, filterByProtocol(allCiphers,
Collections.singleton(Protocol.TLSv1_2)));
- addListAlias("TLSv1.1", filterByProtocol(allCiphers,
Collections.singleton(Protocol.SSLv3)));
- addListAlias(TLSv1, filterByProtocol(allCiphers, new
HashSet<>(Arrays.asList(Protocol.TLSv1, Protocol.SSLv3))));
- aliases.put(SSLv3, aliases.get(TLSv1));
- addListAlias(SSLv2, filterByProtocol(allCiphers,
Collections.singleton(Protocol.SSLv2)));
+ addListAlias(Constants.SSL_PROTO_TLSv1_2, filterByProtocol(allCiphers,
Collections.singleton(Protocol.TLSv1_2)));
+ addListAlias(Constants.SSL_PROTO_TLSv1_1, filterByProtocol(allCiphers,
Collections.singleton(Protocol.SSLv3)));
+ addListAlias(Constants.SSL_PROTO_TLSv1, filterByProtocol(allCiphers,
new HashSet<>(Arrays.asList(Protocol.TLSv1, Protocol.SSLv3))));
+ aliases.put(Constants.SSL_PROTO_SSLv3,
aliases.get(Constants.SSL_PROTO_TLSv1));
+ addListAlias(Constants.SSL_PROTO_SSLv2, filterByProtocol(allCiphers,
Collections.singleton(Protocol.SSLv2)));
addListAlias(DH, filterByKeyExchange(allCiphers, new
HashSet<>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd, KeyExchange.EDH))));
Set<Cipher> adh = filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.EDH));
adh.retainAll(filterByAuthentication(allCiphers,
Collections.singleton(Authentication.aNULL)));
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java?rev=1681770&r1=1681769&r2=1681770&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java Tue
May 26 14:59:04 2015
@@ -17,12 +17,14 @@
package org.apache.tomcat.util.net.jsse.openssl;
+import org.apache.tomcat.util.net.Constants;
+
enum Protocol {
- SSLv3("SSLv3"),
- SSLv2("SSLv2"),
- TLSv1("SSLv3"),
- TLSv1_2("TLSv1.2");
+ SSLv3(Constants.SSL_PROTO_SSLv3),
+ SSLv2(Constants.SSL_PROTO_SSLv2),
+ TLSv1(Constants.SSL_PROTO_SSLv3),
+ TLSv1_2(Constants.SSL_PROTO_TLSv1_2);
private final String openSSLName;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
