Attachment #29459 for bug #53952

View | Details | Raw Unified | Return to bug 53952
Collapse All | Expand All

Lines 1190-1198 Link Here

(-)webapps/docs/config/http.xml (-3 / +4 lines)
1190		1190
1191	<attribute name="SSLProtocol" required="false">	1191	<attribute name="SSLProtocol" required="false">
1192	<p>Protocol which may be used for communicating with clients. The default	1192	<p>Protocol which may be used for communicating with clients. The default
1193	value is <code>all</code>, which is equivalent to <code>SSLv3+TLSv1</code>	1193	value is <code>all</code>, which is equivalent to
1194	with other acceptable values being <code>SSLv2</code>,	1194	<code>SSLv3+TLSv1+TLSv1.1+TLSv1.2</code> with other acceptable values being
1195	<code>SSLv3</code>, <code>TLSv1</code> and any combination of the three	1195	<code>SSLv2</code>, <code>SSLv3</code>, <code>TLSv1</code>, <code>TLSv1.1</code>,
		1196	<code>TLSv1.2</code> and any combination of the three
1196	protocols concatenated with a plus sign. Note that the protocol	1197	protocols concatenated with a plus sign. Note that the protocol
1197	<code>SSLv2</code> is inherently unsafe.</p>	1198	<code>SSLv2</code> is inherently unsafe.</p>
1198	</attribute>	1199	</attribute>

Lines 369-375 Link Here

(-)webapps/docs/ssl-howto.xml (-1 / +1 lines)
369	scheme="https" secure="true" SSLEnabled="true"	369	scheme="https" secure="true" SSLEnabled="true"
370	SSLCertificateFile="/usr/local/ssl/server.crt"	370	SSLCertificateFile="/usr/local/ssl/server.crt"
371	SSLCertificateKeyFile="/usr/local/ssl/server.pem"	371	SSLCertificateKeyFile="/usr/local/ssl/server.pem"
372	SSLVerifyClient="optional" SSLProtocol="TLSv1"/>	372	SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
373	</source>	373	</source>
374	</p>	374	</p>
375		375

Lines 393-399 Link Here

(-)java/org/apache/tomcat/util/net/AprEndpoint.java (-2 / +32 lines)
393		393
394	// ----------------------------------------------- Public Lifecycle Methods	394	// ----------------------------------------------- Public Lifecycle Methods
395		395
		396	private boolean isTLS11Supported() {
		397	return SSL.hasOp(SSL.SSL_OP_NO_TLSv1_1);
		398	}
396		399
		400	private boolean isTLS12Supported() {
		401	return SSL.hasOp(SSL.SSL_OP_NO_TLSv1_2);
		402	}
		403
		404	private int getSSLProtocolAll() {
		405	int value = SSL.SSL_PROTOCOL_ALL;
		406	if (!isTLS11Supported()) {
		407	value &= ~SSL.SSL_PROTOCOL_TLSV1_1;
		408	}
		409	if (!isTLS12Supported()) {
		410	value &= ~SSL.SSL_PROTOCOL_TLSV1_2;
		411	}
		412	return value;
		413	}
		414
397	/**	415	/**
398	* Initialize the endpoint.	416	* Initialize the endpoint.
399	*/	417	*/
Lines 505-511 Link Here
505	// SSL protocol	523	// SSL protocol
506	int value = SSL.SSL_PROTOCOL_NONE;	524	int value = SSL.SSL_PROTOCOL_NONE;
507	if (SSLProtocol == null \|\| SSLProtocol.length() == 0) {	525	if (SSLProtocol == null \|\| SSLProtocol.length() == 0) {
508	value = SSL.SSL_PROTOCOL_ALL;	526	value = getSSLProtocolAll();
509	} else {	527	} else {
510	for (String protocol : SSLProtocol.split("\\+")) {	528	for (String protocol : SSLProtocol.split("\\+")) {
511	protocol = protocol.trim();	529	protocol = protocol.trim();
Lines 515-522 Link Here
515	value \|= SSL.SSL_PROTOCOL_SSLV3;	533	value \|= SSL.SSL_PROTOCOL_SSLV3;
516	} else if ("TLSv1".equalsIgnoreCase(protocol)) {	534	} else if ("TLSv1".equalsIgnoreCase(protocol)) {
517	value \|= SSL.SSL_PROTOCOL_TLSV1;	535	value \|= SSL.SSL_PROTOCOL_TLSV1;
		536	} else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
		537	if (!isTLS11Supported()) {
		538	throw new Exception(sm.getString(
		539	"endpoint.apr.invalidSslProtocol", SSLProtocol));
		540	}
		541	value \|= SSL.SSL_PROTOCOL_TLSV1_1;
		542	} else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
		543	if (!isTLS12Supported()) {
		544	throw new Exception(sm.getString(
		545	"endpoint.apr.invalidSslProtocol", SSLProtocol));
		546	}
		547	value \|= SSL.SSL_PROTOCOL_TLSV1_2;
518	} else if ("all".equalsIgnoreCase(protocol)) {	548	} else if ("all".equalsIgnoreCase(protocol)) {
519	value \|= SSL.SSL_PROTOCOL_ALL;	549	value \|= getSSLProtocolAll();
520	} else {	550	} else {
521	// Protocol not recognized, fail to start as it is safer than	551	// Protocol not recognized, fail to start as it is safer than
522	// continuing with the default which might enable more than the	552	// continuing with the default which might enable more than the





    protected boolean useSendfile;

    int sslProtocol = (SSL.SSL_PROTOCOL_TLSV1_2 | SSL.SSL_PROTOCOL_TLSV1_1 | SSL.SSL_PROTOCOL_TLSV1 | SSL.SSL_PROTOCOL_SSLV3) & getSSLProtocolAll();

    /**
     * Max time spent in a callback ( will be longer for blocking )

        tcpNoDelay = b;
    }

    private boolean isTLS11Supported() {
        return SSL.hasOp(SSL.SSL_OP_NO_TLSv1_1);
    }

    private boolean isTLS12Supported() {
        return SSL.hasOp(SSL.SSL_OP_NO_TLSv1_2);
    }

    private int getSSLProtocolAll() {
        int value = SSL.SSL_PROTOCOL_ALL;
        if (!isTLS11Supported()) {
            value &= ~SSL.SSL_PROTOCOL_TLSV1_1;
        }
        if (!isTLS12Supported()) {
            value &= ~SSL.SSL_PROTOCOL_TLSV1_2;
        }
        return value;
    }

    public void setSslProtocol(String protocol) {
        protocol = protocol.trim();
        if ("SSLv2".equalsIgnoreCase(protocol)) {

            sslProtocol = SSL.SSL_PROTOCOL_SSLV3;
        } else if ("TLSv1".equalsIgnoreCase(protocol)) {
            sslProtocol = SSL.SSL_PROTOCOL_TLSV1;
        } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
            if (isTLS11Supported()) {
                sslProtocol = SSL.SSL_PROTOCOL_TLSV1_1;
            }
        } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
            if (isTLS12Supported()) {
                sslProtocol = SSL.SSL_PROTOCOL_TLSV1_2;
            }
        } else if ("all".equalsIgnoreCase(protocol)) {
            sslProtocol = getSSLProtocolAll();
        }
    }





    /**
     * Initialize new SSL context
     * @param pool The pool to use.
     * @param protocol The SSL protocol to use. It can be bitwise OR of the following:
     * <PRE>
     * SSL_PROTOCOL_SSLV2
     * SSL_PROTOCOL_SSLV3
     * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
     * SSL_PROTOCOL_TLSV1
     * SSL_PROTOCOL_TLSV1_1
     * SSL_PROTOCOL_TLSV1_2
     * SSL_PROTOCOL_ALL
     * </PRE>
     * @param mode SSL mode to use

Lines 71-77 Link Here

(-)java/org/apache/tomcat/jni/SSL.java (-1 / +5 lines)
71	public static final int SSL_PROTOCOL_SSLV2 = (1<<0);	71	public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
72	public static final int SSL_PROTOCOL_SSLV3 = (1<<1);	72	public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
73	public static final int SSL_PROTOCOL_TLSV1 = (1<<2);	73	public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
74	public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV3\|SSL_PROTOCOL_TLSV1);	74	public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
		75	public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
		76	public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV3\|SSL_PROTOCOL_TLSV1\|SSL_PROTOCOL_TLSV1_1\|SSL_PROTOCOL_TLSV1_2);
75		77
76	/*	78	/*
77	* Define the SSL verify levels	79	* Define the SSL verify levels
Lines 134-139 Link Here
134	public static final int SSL_OP_NO_SSLv2 = 0x01000000;	136	public static final int SSL_OP_NO_SSLv2 = 0x01000000;
135	public static final int SSL_OP_NO_SSLv3 = 0x02000000;	137	public static final int SSL_OP_NO_SSLv3 = 0x02000000;
136	public static final int SSL_OP_NO_TLSv1 = 0x04000000;	138	public static final int SSL_OP_NO_TLSv1 = 0x04000000;
		139	public static final int SSL_OP_NO_TLSv1_2 = 0x08000000;
		140	public static final int SSL_OP_NO_TLSv1_1 = 0x10000000;
137	public static final int SSL_OP_NO_TICKET = 0x00004000;	141	public static final int SSL_OP_NO_TICKET = 0x00004000;
138		142
139	/* The next flag deliberately changes the ciphertest, this is a check	143	/* The next flag deliberately changes the ciphertest, this is a check

Return to bug 53952

Lines 193-199 Link Here

(-)java/org/apache/tomcat/jni/socket/AprSocketContext.java (-2 / +29 lines)
193		193
194	protected boolean useSendfile;	194	protected boolean useSendfile;
195		195
196	int sslProtocol = SSL.SSL_PROTOCOL_TLSV1 \| SSL.SSL_PROTOCOL_SSLV3;	196	int sslProtocol = (SSL.SSL_PROTOCOL_TLSV1_2 \| SSL.SSL_PROTOCOL_TLSV1_1 \| SSL.SSL_PROTOCOL_TLSV1 \| SSL.SSL_PROTOCOL_SSLV3) & getSSLProtocolAll();
197		197
198	/**	198	/**
199	* Max time spent in a callback ( will be longer for blocking )	199	* Max time spent in a callback ( will be longer for blocking )
Lines 306-311 Link Here
306	tcpNoDelay = b;	306	tcpNoDelay = b;
307	}	307	}
308		308
		309	private boolean isTLS11Supported() {
		310	return SSL.hasOp(SSL.SSL_OP_NO_TLSv1_1);
		311	}
		312
		313	private boolean isTLS12Supported() {
		314	return SSL.hasOp(SSL.SSL_OP_NO_TLSv1_2);
		315	}
		316
		317	private int getSSLProtocolAll() {
		318	int value = SSL.SSL_PROTOCOL_ALL;
		319	if (!isTLS11Supported()) {
		320	value &= ~SSL.SSL_PROTOCOL_TLSV1_1;
		321	}
		322	if (!isTLS12Supported()) {
		323	value &= ~SSL.SSL_PROTOCOL_TLSV1_2;
		324	}
		325	return value;
		326	}
		327
309	public void setSslProtocol(String protocol) {	328	public void setSslProtocol(String protocol) {
310	protocol = protocol.trim();	329	protocol = protocol.trim();
311	if ("SSLv2".equalsIgnoreCase(protocol)) {	330	if ("SSLv2".equalsIgnoreCase(protocol)) {
Lines 314-321 Link Here
314	sslProtocol = SSL.SSL_PROTOCOL_SSLV3;	333	sslProtocol = SSL.SSL_PROTOCOL_SSLV3;
315	} else if ("TLSv1".equalsIgnoreCase(protocol)) {	334	} else if ("TLSv1".equalsIgnoreCase(protocol)) {
316	sslProtocol = SSL.SSL_PROTOCOL_TLSV1;	335	sslProtocol = SSL.SSL_PROTOCOL_TLSV1;
		336	} else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
		337	if (isTLS11Supported()) {
		338	sslProtocol = SSL.SSL_PROTOCOL_TLSV1_1;
		339	}
		340	} else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
		341	if (isTLS12Supported()) {
		342	sslProtocol = SSL.SSL_PROTOCOL_TLSV1_2;
		343	}
317	} else if ("all".equalsIgnoreCase(protocol)) {	344	} else if ("all".equalsIgnoreCase(protocol)) {
318	sslProtocol = SSL.SSL_PROTOCOL_ALL;	345	sslProtocol = getSSLProtocolAll();
319	}	346	}
320	}	347	}
321		348

Lines 29-40 Link Here

(-)java/org/apache/tomcat/jni/SSLContext.java (-2 / +3 lines)
29	/**	29	/**
30	* Initialize new SSL context	30	* Initialize new SSL context
31	* @param pool The pool to use.	31	* @param pool The pool to use.
32	* @param protocol The SSL protocol to use. It can be one of:	32	* @param protocol The SSL protocol to use. It can be bitwise OR of the following:
33	* <PRE>	33	* <PRE>
34	* SSL_PROTOCOL_SSLV2	34	* SSL_PROTOCOL_SSLV2
35	* SSL_PROTOCOL_SSLV3	35	* SSL_PROTOCOL_SSLV3
36	* SSL_PROTOCOL_SSLV2 \| SSL_PROTOCOL_SSLV3
37	* SSL_PROTOCOL_TLSV1	36	* SSL_PROTOCOL_TLSV1
		37	* SSL_PROTOCOL_TLSV1_1
		38	* SSL_PROTOCOL_TLSV1_2
38	* SSL_PROTOCOL_ALL	39	* SSL_PROTOCOL_ALL
39	* </PRE>	40	* </PRE>
40	* @param mode SSL mode to use	41	* @param mode SSL mode to use