Bug 57432

Summary: Incorrect values for SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
Product: Tomcat 8 Reporter: Jeff Pinner <jeff.pinner>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.0.18   
Target Milestone: ----   
Hardware: All   
OS: All   

Description Jeff Pinner 2015-01-11 18:20:56 UTC
Bug 53952 added support for TLS 1.1 and TLS 1.2 and added the following constants (from jni/java/org/apache/tomcat/jni/SSL.java)

public static final int SSL_OP_NO_TLSv1_1                       = 0x08000000;
public static final int SSL_OP_NO_TLSv1_2                       = 0x10000000;

that get passed into OpenSSl's SSL_CTX_set_options (see jni/native/src/sslcontext.c). OpenSSL however defines these constants out-of-order (from ssl/ssl.h):

#define SSL_OP_NO_TLSv1_2                               0x08000000L
#define SSL_OP_NO_TLSv1_1                               0x10000000L

The result is that defining "SSL_OP_NO_TLSv1_1" instead disables support for TLS 1.2 (and vice-versa).
Comment 1 Konstantin Kolinko 2015-02-11 20:01:53 UTC
Java code of Tomcat Native is maintained in Tomcat proper. I am moving the bug there.
Comment 2 Mark Thomas 2015-02-11 20:38:12 UTC
Fixed in trunk and 8.0.x (for 8.0.19 onwards).
Comment 3 Christopher Schultz 2015-02-12 04:58:58 UTC
(In reply to Jeff Pinner from comment #0)
> Bug 53952 added support for TLS 1.1 and TLS 1.2 and added the following
> constants (from jni/java/org/apache/tomcat/jni/SSL.java)
> 
> public static final int SSL_OP_NO_TLSv1_1                       = 0x08000000;
> public static final int SSL_OP_NO_TLSv1_2                       = 0x10000000;

For the record, these constants were added in r1632577 which slightly pre-dates the commits directly-related to bug #53952.

Also note that these constants were never back-ported to Tomcat 7.