Author: markt Date: Tue Sep 20 13:39:30 2016 New Revision: 1761574 URL: http://svn.apache.org/viewvc?rev=1761574&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60138 Fix the SSLHostConfig so that the protocols attribute is limited to the protocols supported by the current JSSE implementation rather than the default protocols used by the implementation.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1761574&r1=1761573&r2=1761574&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Tue Sep 20 13:39:30 2016 @@ -49,8 +49,6 @@ import javax.net.ssl.CertPathTrustManage import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.ManagerFactoryParameters; -import javax.net.ssl.SSLServerSocket; -import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.SSLSessionContext; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; @@ -95,29 +93,22 @@ public class JSSEUtil extends SSLUtilBas throw new IllegalArgumentException(e); } - // There is no standard way to determine the default protocols and - // cipher suites so create a server socket to see what the defaults are - SSLServerSocketFactory ssf = context.getServerSocketFactory(); - implementedProtocols = new HashSet<>(); - try (SSLServerSocket socket = (SSLServerSocket) ssf.createServerSocket()) { - // Filter out all the SSL protocols (SSLv2 and SSLv3) from the - // defaults since they are no longer considered secure but allow - // SSLv2Hello - for (String protocol : socket.getEnabledProtocols()) { - String protocolUpper = protocol.toUpperCase(Locale.ENGLISH); - if (!"SSLV2HELLO".equals(protocolUpper)) { - if (protocolUpper.contains("SSL")) { - log.debug(sm.getString("jsse.excludeDefaultProtocol", protocol)); - continue; - } + String[] implementedProtocolsArray = context.getSupportedSSLParameters().getProtocols(); + implementedProtocols = new HashSet<>(implementedProtocolsArray.length); + + // Filter out all the SSL protocols (SSLv2 and SSLv3) from the list of + // implemented protocols since they are no longer considered secure but + // allow SSLv2Hello. This has the effect of making it impossible to use + // SSLv2 or SSLv3 without source code changes. + for (String protocol : implementedProtocolsArray) { + String protocolUpper = protocol.toUpperCase(Locale.ENGLISH); + if (!"SSLV2HELLO".equals(protocolUpper)) { + if (protocolUpper.contains("SSL")) { + log.debug(sm.getString("jsse.excludeProtocol", protocol)); + continue; } - implementedProtocols.add(protocol); } - } catch (IOException e) { - // This is very likely to be fatal but there is a slim chance that - // the JSSE implementation just doesn't like creating unbound - // sockets so allow the code to proceed. - + implementedProtocols.add(protocol); } if (implementedProtocols.size() == 0) { Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties?rev=1761574&r1=1761573&r2=1761574&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties Tue Sep 20 13:39:30 2016 @@ -19,7 +19,7 @@ jsse.invalidTrustManagerClassName=The tr jsse.requested_ciphers_not_supported=None of the ciphers specified are supported by the SSL engine : {0} jsse.enableable_ciphers=Specified SSL ciphers that are supported and enableable are : {0} jsse.unsupported_ciphers=Some specified SSL ciphers are not supported by the SSL engine : {0} -jsse.excludeDefaultProtocol=The SSL protocol [{0}] which is enabled by default in this JRE was excluded from the defaults used by Tomcat +jsse.excludeProtocol=The SSL protocol [{0}] which is supported in this JRE was excluded from the protocols available to Tomcat jsse.noDefaultCiphers=Unable to determine a default for ciphers for [{0}]. Set an explicit value to ensure the connector can start. jsse.noDefaultProtocols=Unable to determine a default for sslEnabledProtocols. Set an explicit value to ensure the connector can start. jsse.exceptionOnClose=Failure to close socket. Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1761574&r1=1761573&r2=1761574&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Tue Sep 20 13:39:30 2016 @@ -74,6 +74,12 @@ Tatsuya Bessho. (kfujino) </fix> <fix> + <bug>60138</bug>: Fix the <code>SSLHostConfig</code> so that the + <code>protocols</code> attribute is limited to the protocols supported + by the current JSSE implementation rather than the default protocols + used by the implementation. (markt) + </fix> + <fix> <bug>60146</bug>: Improve performance for resource retrieval by making calls to WebResource.getInputStream() trigger caching if the resource is small enough. Patch provided by mohitchugh. (markt) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org