View | Details | Raw Unified | Return to bug 53952
Collapse All | Expand All

(-)java/org/apache/tomcat/util/net/AprEndpoint.java (-2 / +32 lines)
Lines 388-394 Link Here
388
388
389
    // ----------------------------------------------- Public Lifecycle Methods
389
    // ----------------------------------------------- Public Lifecycle Methods
390
390
391
    private boolean isTLS11Supported() {
392
        return SSL.hasOp(SSL.SSL_OP_NO_TLSv1_1);
393
    }
391
394
395
    private boolean isTLS12Supported() {
396
        return SSL.hasOp(SSL.SSL_OP_NO_TLSv1_2);
397
    }
398
399
    private int getSSLProtocolAll() {
400
        int value = SSL.SSL_PROTOCOL_ALL;
401
        if (!isTLS11Supported()) {
402
            value &= ~SSL.SSL_PROTOCOL_TLSV1_1;
403
        }
404
        if (!isTLS12Supported()) {
405
            value &= ~SSL.SSL_PROTOCOL_TLSV1_2;
406
        }
407
        return value;
408
    }
409
392
    /**
410
    /**
393
     * Initialize the endpoint.
411
     * Initialize the endpoint.
394
     */
412
     */
Lines 476-482 Link Here
476
            // SSL protocol
494
            // SSL protocol
477
            int value = SSL.SSL_PROTOCOL_NONE;
495
            int value = SSL.SSL_PROTOCOL_NONE;
478
            if (SSLProtocol == null || SSLProtocol.length() == 0) {
496
            if (SSLProtocol == null || SSLProtocol.length() == 0) {
479
                value = SSL.SSL_PROTOCOL_ALL;
497
                value = getSSLProtocolAll();
480
            } else {
498
            } else {
481
                for (String protocol : SSLProtocol.split("\\+")) {
499
                for (String protocol : SSLProtocol.split("\\+")) {
482
                    protocol = protocol.trim();
500
                    protocol = protocol.trim();
Lines 486-493 Link Here
486
                        value |= SSL.SSL_PROTOCOL_SSLV3;
504
                        value |= SSL.SSL_PROTOCOL_SSLV3;
487
                    } else if ("TLSv1".equalsIgnoreCase(protocol)) {
505
                    } else if ("TLSv1".equalsIgnoreCase(protocol)) {
488
                        value |= SSL.SSL_PROTOCOL_TLSV1;
506
                        value |= SSL.SSL_PROTOCOL_TLSV1;
507
                    } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
508
                        if (!isTLS11Supported()) {
509
                            throw new Exception(sm.getString(
510
                                    "endpoint.apr.invalidSslProtocol", SSLProtocol));
511
                        }
512
                        value |= SSL.SSL_PROTOCOL_TLSV1_1;
513
                    } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
514
                        if (!isTLS12Supported()) {
515
                            throw new Exception(sm.getString(
516
                                    "endpoint.apr.invalidSslProtocol", SSLProtocol));
517
                        }
518
                        value |= SSL.SSL_PROTOCOL_TLSV1_2;
489
                    } else if ("all".equalsIgnoreCase(protocol)) {
519
                    } else if ("all".equalsIgnoreCase(protocol)) {
490
                        value |= SSL.SSL_PROTOCOL_ALL;
520
                        value |= getSSLProtocolAll();
491
                    } else {
521
                    } else {
492
                        // Protocol not recognized, fail to start as it is safer than
522
                        // Protocol not recognized, fail to start as it is safer than
493
                        // continuing with the default which might enable more than the
523
                        // continuing with the default which might enable more than the
(-)java/org/apache/tomcat/jni/SSL.java (-5 / +5 lines)
Lines 71-77 Link Here
71
    public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
71
    public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
72
    public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
72
    public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
73
    public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
73
    public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
74
    public static final int SSL_PROTOCOL_ALL   = (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1);
74
    public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
75
    public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
76
    public static final int SSL_PROTOCOL_ALL   = (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2);
75
77
76
    /*
78
    /*
77
     * Define the SSL verify levels
79
     * Define the SSL verify levels
Lines 136-147 Link Here
136
    public static final int SSL_OP_NO_SSLv2                         = 0x01000000;
138
    public static final int SSL_OP_NO_SSLv2                         = 0x01000000;
137
    public static final int SSL_OP_NO_SSLv3                         = 0x02000000;
139
    public static final int SSL_OP_NO_SSLv3                         = 0x02000000;
138
    public static final int SSL_OP_NO_TLSv1                         = 0x04000000;
140
    public static final int SSL_OP_NO_TLSv1                         = 0x04000000;
141
    public static final int SSL_OP_NO_TLSv1_2                       = 0x08000000;
142
    public static final int SSL_OP_NO_TLSv1_1                       = 0x10000000;
139
    public static final int SSL_OP_NO_TICKET                        = 0x00004000;
143
    public static final int SSL_OP_NO_TICKET                        = 0x00004000;
140
144
141
    /* The next flag deliberately changes the ciphertest, this is a check
142
     * for the PKCS#1 attack */
143
    public static final int SSL_OP_PKCS1_CHECK_1                    = 0x08000000;
144
    public static final int SSL_OP_PKCS1_CHECK_2                    = 0x10000000;
145
    public static final int SSL_OP_NETSCAPE_CA_DN_BUG               = 0x20000000;
145
    public static final int SSL_OP_NETSCAPE_CA_DN_BUG               = 0x20000000;
146
    public static final int SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG  = 0x40000000;
146
    public static final int SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG  = 0x40000000;
147
147
(-)java/org/apache/tomcat/jni/SSLContext.java (+2 lines)
Lines 35-40 Link Here
35
     * SSL_PROTOCOL_SSLV3
35
     * SSL_PROTOCOL_SSLV3
36
     * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
36
     * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
37
     * SSL_PROTOCOL_TLSV1
37
     * SSL_PROTOCOL_TLSV1
38
     * SSL_PROTOCOL_TLSV1_1
39
     * SSL_PROTOCOL_TLSV1_2
38
     * SSL_PROTOCOL_ALL
40
     * SSL_PROTOCOL_ALL
39
     * </PRE>
41
     * </PRE>
40
     * @param mode SSL mode to use
42
     * @param mode SSL mode to use
(-)java/org/apache/tomcat/jni/socket/AprSocketContext.java (-2 / +25 lines)
Lines 181-187 Link Here
181
181
182
    private boolean useSendfile;
182
    private boolean useSendfile;
183
183
184
    private int sslProtocol = SSL.SSL_PROTOCOL_TLSV1 | SSL.SSL_PROTOCOL_SSLV3;
184
    private int sslProtocol = getSSLProtocolAll();
185
185
186
    /**
186
    /**
187
     * Max time spent in a callback ( will be longer for blocking )
187
     * Max time spent in a callback ( will be longer for blocking )
Lines 294-299 Link Here
294
        tcpNoDelay = b;
294
        tcpNoDelay = b;
295
    }
295
    }
296
296
297
    private boolean isTLS11Supported() {
298
        return SSL.hasOp(SSL.SSL_OP_NO_TLSv1_1);
299
    }
300
301
    private boolean isTLS12Supported() {
302
        return SSL.hasOp(SSL.SSL_OP_NO_TLSv1_2);
303
    }
304
305
    private int getSSLProtocolAll() {
306
        int value = SSL.SSL_PROTOCOL_ALL;
307
        if (!isTLS11Supported()) {
308
            value &= ~SSL.SSL_PROTOCOL_TLSV1_1;
309
        }
310
        if (!isTLS12Supported()) {
311
            value &= ~SSL.SSL_PROTOCOL_TLSV1_2;
312
        }
313
        return value;
314
    }
315
297
    public void setSslProtocol(String protocol) {
316
    public void setSslProtocol(String protocol) {
298
        protocol = protocol.trim();
317
        protocol = protocol.trim();
299
        if ("SSLv2".equalsIgnoreCase(protocol)) {
318
        if ("SSLv2".equalsIgnoreCase(protocol)) {
Lines 302-309 Link Here
302
            sslProtocol = SSL.SSL_PROTOCOL_SSLV3;
321
            sslProtocol = SSL.SSL_PROTOCOL_SSLV3;
303
        } else if ("TLSv1".equalsIgnoreCase(protocol)) {
322
        } else if ("TLSv1".equalsIgnoreCase(protocol)) {
304
            sslProtocol = SSL.SSL_PROTOCOL_TLSV1;
323
            sslProtocol = SSL.SSL_PROTOCOL_TLSV1;
324
        } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
325
            sslProtocol = SSL.SSL_PROTOCOL_TLSV1_1;
326
        } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
327
            sslProtocol = SSL.SSL_PROTOCOL_TLSV1_2;
305
        } else if ("all".equalsIgnoreCase(protocol)) {
328
        } else if ("all".equalsIgnoreCase(protocol)) {
306
            sslProtocol = SSL.SSL_PROTOCOL_ALL;
329
            sslProtocol = getSSLProtocolAll();
307
        }
330
        }
308
    }
331
    }
309
332
(-)webapps/docs/ssl-howto.xml (-1 / +1 lines)
Lines 368-374 Link Here
368
           scheme="https" secure="true" SSLEnabled="true"
368
           scheme="https" secure="true" SSLEnabled="true"
369
           SSLCertificateFile="/usr/local/ssl/server.crt"
369
           SSLCertificateFile="/usr/local/ssl/server.crt"
370
           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
370
           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
371
           SSLVerifyClient="optional" SSLProtocol="TLSv1"/&gt;
371
           SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/&gt;
372
</source>
372
</source>
373
</p>
373
</p>
374
374
(-)webapps/docs/config/http.xml (-2 / +5 lines)
Lines 1220-1228 Link Here
1220
1220
1221
    <attribute name="SSLProtocol" required="false">
1221
    <attribute name="SSLProtocol" required="false">
1222
      <p>Protocol which may be used for communicating with clients. The default
1222
      <p>Protocol which may be used for communicating with clients. The default
1223
      value is <code>all</code>, which is equivalent to <code>SSLv3+TLSv1</code>
1223
      value is <code>all</code>, which is equivalent to
1224
      <code>SSLv3+TLSv1+TLSv1.1+TLSv1.2</code> (TLSv1.1 and TLSv1.2 are
1225
      present only if supported by OpenSSL library)
1224
      with other acceptable values being <code>SSLv2</code>,
1226
      with other acceptable values being <code>SSLv2</code>,
1225
      <code>SSLv3</code>, <code>TLSv1</code> and any combination of the three
1227
      <code>SSLv3</code>, <code>TLSv1</code>, <code>TLSv1.1</code>,
1228
      <code>TLSv1.2</code> and any combination of the
1226
      protocols concatenated with a plus sign. Note that the protocol
1229
      protocols concatenated with a plus sign. Note that the protocol
1227
      <code>SSLv2</code> is inherently unsafe.</p>
1230
      <code>SSLv2</code> is inherently unsafe.</p>
1228
    </attribute>
1231
    </attribute>

Return to bug 53952