Author: rjung
Date: Wed May 27 10:26:27 2015
New Revision: 1681958
URL: http://svn.apache.org/r1681958
Log:
Add some comments to track handling of TLS
default protocols.
Remove "ALL" handling from AprEndpoint,
because SSLHostConfig already resolves "ALL"
to a list of explicit protocols. If "ALL"
manages to dripple down to AprEndpoint, it
will now throw an exception with an invalid ssl
protocol message.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1681958&r1=1681957&r2=1681958&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Wed May 27
10:26:27 2015
@@ -375,6 +375,7 @@ public class AprEndpoint extends Abstrac
// SSL protocol
int value = SSL.SSL_PROTOCOL_NONE;
if (sslHostConfig.getProtocols().size() == 0) {
+ // Native fallback used if protocols=""
value = SSL.SSL_PROTOCOL_ALL;
} else {
for (String protocol : sslHostConfig.getProtocols()) {
@@ -390,8 +391,6 @@ public class AprEndpoint extends Abstrac
value |= SSL.SSL_PROTOCOL_TLSV1_1;
} else if
(Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_TLSV1_2;
- } else if
(Constants.SSL_PROTO_ALL.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_ALL;
} else {
// Protocol not recognized, fail to start as it is
safer than
// continuing with the default which might enable
more than the
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1681958&r1=1681957&r2=1681958&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Wed May 27
10:26:27 2015
@@ -42,6 +42,12 @@ public class SSLHostConfig {
protected static final Set<String> SSL_PROTO_ALL = new HashSet<>();
static {
+ /* Default used if protocols is not configured, also
+ used if protocols="All" */
+ /* If protocols is configured to be empty, the effective
+ value comes from
+
org.apache.tomcat.util.net.jsse.JSSESocketFactory.defaultServerProtocols
+ (JSSE) resp. org.apache.tomcat.jni.SSL.SSL_PROTOCOL_ALL (OpenSSL)*/
SSL_PROTO_ALL.add(Constants.SSL_PROTO_SSLv2Hello);
SSL_PROTO_ALL.add(Constants.SSL_PROTO_TLSv1);
SSL_PROTO_ALL.add(Constants.SSL_PROTO_TLSv1_1);
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1681958&r1=1681957&r2=1681958&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Wed May 27 10:26:27 2015
@@ -400,6 +400,7 @@ public class JSSESocketFactory implement
@Override
public String[] getEnableableProtocols(SSLContext context) {
if (sslHostConfig.getProtocols().size() == 0) {
+ // JSSE fallback used if protocols=""
return defaultServerProtocols;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
