ASF Bugzilla – Attachment 32322 Details for
Bug 57391
Allow TLS Session Tickets to be disabled
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
svn diff output
SSLDisableSessionTickets.patch (text/plain), 4.36 KB, created by
Josiah Purtlebaugh
on 2014-12-22 21:27:07 UTC
(
hide
)
Description:
svn diff output
Filename:
MIME Type:
Creator:
Josiah Purtlebaugh
Created:
2014-12-22 21:27:07 UTC
Size:
4.36 KB
patch
obsolete
>Index: java/org/apache/coyote/http11/Http11AprProtocol.java >=================================================================== >--- java/org/apache/coyote/http11/Http11AprProtocol.java (revision 1647394) >+++ java/org/apache/coyote/http11/Http11AprProtocol.java (working copy) >@@ -196,6 +196,11 @@ > public boolean getSSLDisableCompression() { return ((AprEndpoint)endpoint).getSSLDisableCompression(); } > public void setSSLDisableCompression(boolean disable) { ((AprEndpoint)endpoint).setSSLDisableCompression(disable); } > >+ /** >+ * Disable TLS Session Tickets (RFC 4507). >+ */ >+ public boolean getSSLDisableSessionTickets() { return ((AprEndpoint)endpoint).getSSLDisableSessionTickets(); } >+ public void setSSLDisableSessionTickets(boolean enable) { ((AprEndpoint)endpoint).setSSLDisableSessionTickets(enable); } > // ----------------------------------------------------- JMX related methods > > @Override >Index: java/org/apache/tomcat/util/net/res/LocalStrings.properties >=================================================================== >--- java/org/apache/tomcat/util/net/res/LocalStrings.properties (revision 1647394) >+++ java/org/apache/tomcat/util/net/res/LocalStrings.properties (working copy) >@@ -19,6 +19,7 @@ > endpoint.err.unexpected=Unexpected error processing socket > endpoint.warn.noExector=Failed to process socket [{0}] in state [{1}] because the executor had already been shutdown > endpoint.warn.noDisableCompression='Disable compression' option is not supported by the SSL library {0} >+endpoint.warn.noDisableSessionTickets='Disable TLS Session Tickets' option is not supported by the SSL library {0} > endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported by the SSL library {0} > endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the SSL library {0} > endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock. Forcing hard socket shutdown. >Index: java/org/apache/tomcat/util/net/AprEndpoint.java >=================================================================== >--- java/org/apache/tomcat/util/net/AprEndpoint.java (revision 1647394) >+++ java/org/apache/tomcat/util/net/AprEndpoint.java (working copy) >@@ -278,6 +278,12 @@ > public String getSSLCARevocationFile() { return SSLCARevocationFile; } > public void setSSLCARevocationFile(String SSLCARevocationFile) { this.SSLCARevocationFile = SSLCARevocationFile; } > >+ /** >+ * SSL disable TLS Session Tickets (RFC 4507). >+ */ >+ protected boolean SSLDisableSessionTickets = false; >+ public boolean getSSLDisableSessionTickets() { return SSLDisableSessionTickets; } >+ public void setSSLDisableSessionTickets(boolean SSLDisableSessionTickets) { this.SSLDisableSessionTickets = SSLDisableSessionTickets; } > > /** > * SSL verify client. >@@ -583,6 +589,24 @@ > } > } > >+ // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy >+ if (SSLDisableSessionTickets) { >+ boolean disableSessionTicketsSupported = false; >+ try { >+ disableSessionTicketsSupported = SSL.hasOp(SSL.SSL_OP_NO_TICKET); >+ if (disableSessionTicketsSupported) >+ SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_TICKET); >+ } catch (UnsatisfiedLinkError e) { >+ // Ignore >+ } >+ >+ if (!disableSessionTicketsSupported) { >+ // OpenSSL is too old to support TLS Session Tickets. >+ log.warn(sm.getString("endpoint.warn.noDisableSessionTickets", >+ SSL.versionString())); >+ } >+ } >+ > // List the ciphers that the client is permitted to negotiate > SSLContext.setCipherSuite(sslContext, SSLCipherSuite); > // Load Server key and certificate >Index: webapps/docs/config/http.xml >=================================================================== >--- webapps/docs/config/http.xml (revision 1647394) >+++ webapps/docs/config/http.xml (working copy) >@@ -1387,6 +1387,11 @@ > "10".</p> > </attribute> > >+ <attribute name="SSLDisableSessionTickets" required="false"> >+ <p>Disables use of TLS Session Tickets (RFC 4507) if set to >+ <code>true</code>. Default is <code>false</code>.</p> >+ </attribute> >+ > </attributes> > > </subsection>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=32322">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 57391
: 32322