Author: schultz Date: Thu Aug 9 16:27:55 2012 New Revision: 1371298 URL: http://svn.apache.org/viewvc?rev=1371298&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Added support for SSL_OP_CIPHER_SERVER_PREFERENCE / SSLHonorCipherOrder.
Added: tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt (with props) Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Propchange: tomcat/tc7.0.x/trunk/ ------------------------------------------------------------------------------ Merged /tomcat/trunk:r1371283 Added: tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt?rev=1371298&view=auto ============================================================================== --- tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt (added) +++ tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt Thu Aug 9 16:27:55 2012 @@ -0,0 +1,41 @@ +================================================================================ + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +================================================================================ + +Notes of things to consider for the next major Tomcat release (probably 8.0.x +but possibly 7.1.x). + +1. Refactor the TLD parsing. TLDs are currently parsed twice. Once by Catalina + looking for listeners and once by Jasper. + +2. Refactor the XML parsing (org.apache.tomcat.util.xml ?) to remove duplicate + XML parsing code in Catalina and Jasper such as the entity resolvers used for + validation. + +3. TLDs may have a many to many relationship between URIs and TLD files. This + can result in the same TLD file being parsed many times. Refactor the + TldLocationCache to cache the parsed nodes (will need to check for changes to + TLD files). + +4. TLD files should be included in the dependencies for JSP and Tag files. + +5. Run the unused code detector and remove everything that isn't currently used. + Add deprecation markers for the removed code to Tomcat 7.0.x + +6. Change the default URIEncoding on the connector to UTF-8. + +7. Rip out all the JNDI code in resource handling and replace it with straight + URLs (File or WAR). \ No newline at end of file Propchange: tomcat/tc7.0.x/trunk/TOMCAT-NEXT.txt ------------------------------------------------------------------------------ svn:eol-style = native Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1371298&r1=1371297&r2=1371298&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu Aug 9 16:27:55 2012 @@ -118,6 +118,17 @@ public class Http11AprProtocol extends A /** + * SSL honor cipher order. + * + * Set to <code>true</code> to enforce the <i>server's</i> cipher order + * instead of the default which is to allow the client to choose a + * preferred cipher. + */ + public boolean getSSLHonorCipherOrder() { return ((AprEndpoint)endpoint).getSSLHonorCipherOrder(); } + public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) { ((AprEndpoint)endpoint).setSSLHonorCipherOrder(SSLHonorCipherOrder); } + + + /** * SSL certificate file. */ public String getSSLCertificateFile() { return ((AprEndpoint)endpoint).getSSLCertificateFile(); } Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1371298&r1=1371297&r2=1371298&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Aug 9 16:27:55 2012 @@ -317,6 +317,15 @@ public class AprEndpoint extends Abstrac public void setSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation) { this.SSLInsecureRenegotiation = SSLInsecureRenegotiation; } public boolean getSSLInsecureRenegotiation() { return SSLInsecureRenegotiation; } + protected boolean SSLHonorCipherOrder = false; + /** + * Set to <code>true</code> to enforce the <i>server's</i> cipher order + * instead of the default which is to allow the client to choose a + * preferred cipher. + */ + public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) { this.SSLHonorCipherOrder = SSLHonorCipherOrder; } + public boolean getSSLHonorCipherOrder() { return SSLHonorCipherOrder; } + /** * Port in use. @@ -526,6 +535,24 @@ public class AprEndpoint extends Abstrac SSL.versionString())); } } + + // Set cipher order: client (default) or server + if (SSLHonorCipherOrder) { + boolean orderCiphersSupported = false; + try { + orderCiphersSupported = SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE); + if (orderCiphersSupported) + SSLContext.setOptions(sslContext, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE); + } catch (UnsatisfiedLinkError e) { + // Ignore + } + if (!orderCiphersSupported) { + // OpenSSL does not support ciphers ordering. + log.warn(sm.getString("endpoint.warn.noHonorCipherOrder", + SSL.versionString())); + } + } + // List the ciphers that the client is permitted to negotiate SSLContext.setCipherSuite(sslContext, SSLCipherSuite); // Load Server key and certificate Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1371298&r1=1371297&r2=1371298&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties Thu Aug 9 16:27:55 2012 @@ -41,8 +41,10 @@ endpoint.process.fail=Error allocating s endpoint.sendfile.error=Unexpected sendfile error endpoint.sendfile.addfail=Sendfile failure: [{0}] {1} endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version or the system doesn't support it -endpoint.warn.noInsecureReneg=Secure renegotation is not supported by the SSL library {0} +endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the SSL library {0} +endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported by the SSL library {0} endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock. Forcing hard socket shutdown. +endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported by the SSL library {0} endpoint.debug.channelCloseFail=Failed to close channel endpoint.debug.socketCloseFail=Failed to close socket endpoint.apr.noSslCertFile=Connector attribute SSLCertificateFile must be defined when using SSL with APR Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1371298&r1=1371297&r2=1371298&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Aug 9 16:27:55 2012 @@ -70,6 +70,11 @@ <code>IllegalArgumentException</code> was thrown. (markt) </fix> <fix> + <bug>53481</bug>: Added support for SSLHonorCipherOrder to allow + the server to impose its cipher order on the client. Based on a patch + provided by Marcel Å ebek. (schultz) + </fix> + <fix> <bug>53498</bug>: Fix atomicity bugs in use of concurrent collections. Based on a patch by Yu Lin. (markt) </fix> Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1371298&r1=1371297&r2=1371298&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Thu Aug 9 16:27:55 2012 @@ -1177,6 +1177,12 @@ supported).</p> </attribute> + <attribute name="SSLHonorCipherOrder" required="false"> + <p>Set to <code>true</code> to enforce the server's cipher order + (from the <code>SSLCipherSuite</code> setting) instead of allowing + the client to choose the cipher (which is the default).</p> + </attribute> + <attribute name="SSLPassword" required="false"> <p>Pass phrase for the encrypted private key. If "SSLPassword" is not provided, the callback function should prompt for the pass phrase.</p> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org