svn commit: r1681982 - /tomcat/native/trunk/native/src/sslcontext.c

Wed, 27 May 2015 04:28:31 -0700 

Author: rjung
Date: Wed May 27 11:27:48 2015
New Revision: 1681982

URL: http://svn.apache.org/r1681982
Log:
Changes to protocol parsing:

- if caller provides no protocol at all, fail
  early with a specific message

- if only SSLv2 is requested fail unconditionally

- if multiple protocols are requested, always
  disable SSLv2

Modified:
    tomcat/native/trunk/native/src/sslcontext.c

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1681982&r1=1681981&r2=1681982&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Wed May 27 11:27:48 2015
@@ -106,6 +106,11 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
     tcn_ssl_ctxt_t *c = NULL;
     SSL_CTX *ctx = NULL;
 
+    if (protocol == SSL_PROTOCOL_NONE) {
+        tcn_Throw(e, "No SSL protocols requested");
+        goto init_failed;
+    }
+
     if (protocol == SSL_PROTOCOL_TLSV1_2) {
 #ifdef HAVE_TLSV1_2
         if (mode == SSL_MODE_CLIENT)
@@ -138,24 +143,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
             ctx = SSL_CTX_new(SSLv3_server_method());
         else
             ctx = SSL_CTX_new(SSLv3_method());
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L) && !defined(OPENSSL_NO_SSL2)
     } else if (protocol == SSL_PROTOCOL_SSLV2) {
-        if (mode == SSL_MODE_CLIENT)
-            ctx = SSL_CTX_new(SSLv2_client_method());
-        else if (mode == SSL_MODE_SERVER)
-            ctx = SSL_CTX_new(SSLv2_server_method());
-        else
-            ctx = SSL_CTX_new(SSLv2_method());
-#endif
-#ifndef OPENSSL_NO_SSL2
-    } else if (protocol == SSL_PROTOCOL_SSLV2) {
-        if (mode == SSL_MODE_CLIENT)
-            ctx = SSL_CTX_new(SSLv2_client_method());
-        else if (mode == SSL_MODE_SERVER)
-            ctx = SSL_CTX_new(SSLv2_server_method());
-        else
-            ctx = SSL_CTX_new(SSLv2_method());
-#endif
+        /* requested but not supported */
 #ifndef HAVE_TLSV1_2
     } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
         /* requested but not supported */
@@ -201,8 +190,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
     if (c->bio_os != NULL)
         BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
     SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
-    if (!(protocol & SSL_PROTOCOL_SSLV2))
-        SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv2);
+    /* always disable SSLv2, as per RFC 6176 */
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
     if (!(protocol & SSL_PROTOCOL_SSLV3))
         SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv3);
     if (!(protocol & SSL_PROTOCOL_TLSV1))



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to