Bug 57432 - Incorrect values for SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
Summary: Incorrect values for SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.0.18
Hardware: All All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-11 18:20 UTC by Jeff Pinner
Modified: 2015-02-12 04:58 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Pinner 2015-01-11 18:20:56 UTC 
Bug 53952 added support for TLS 1.1 and TLS 1.2 and added the following constants (from jni/java/org/apache/tomcat/jni/SSL.java)

public static final int SSL_OP_NO_TLSv1_1                       = 0x08000000;
public static final int SSL_OP_NO_TLSv1_2                       = 0x10000000;

that get passed into OpenSSl's SSL_CTX_set_options (see jni/native/src/sslcontext.c). OpenSSL however defines these constants out-of-order (from ssl/ssl.h):

#define SSL_OP_NO_TLSv1_2                               0x08000000L
#define SSL_OP_NO_TLSv1_1                               0x10000000L

The result is that defining "SSL_OP_NO_TLSv1_1" instead disables support for TLS 1.2 (and vice-versa).
Comment 1 Konstantin Kolinko 2015-02-11 20:01:53 UTC 
Java code of Tomcat Native is maintained in Tomcat proper. I am moving the bug there.
Comment 2 Mark Thomas 2015-02-11 20:38:12 UTC 
Fixed in trunk and 8.0.x (for 8.0.19 onwards).
Comment 3 Christopher Schultz 2015-02-12 04:58:58 UTC 
(In reply to Jeff Pinner from comment #0)
> Bug 53952 added support for TLS 1.1 and TLS 1.2 and added the following
> constants (from jni/java/org/apache/tomcat/jni/SSL.java)
> 
> public static final int SSL_OP_NO_TLSv1_1                       = 0x08000000;
> public static final int SSL_OP_NO_TLSv1_2                       = 0x10000000;

For the record, these constants were added in r1632577 which slightly pre-dates the commits directly-related to bug #53952.

Also note that these constants were never back-ported to Tomcat 7.