|Summary:||Incorrect values for SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2|
|Product:||Tomcat 8||Reporter:||Jeff Pinner <jeff.pinner>|
|Component:||Connectors||Assignee:||Tomcat Developers Mailing List <dev>|
Description Jeff Pinner 2015-01-11 18:20:56 UTC
Bug 53952 added support for TLS 1.1 and TLS 1.2 and added the following constants (from jni/java/org/apache/tomcat/jni/SSL.java) public static final int SSL_OP_NO_TLSv1_1 = 0x08000000; public static final int SSL_OP_NO_TLSv1_2 = 0x10000000; that get passed into OpenSSl's SSL_CTX_set_options (see jni/native/src/sslcontext.c). OpenSSL however defines these constants out-of-order (from ssl/ssl.h): #define SSL_OP_NO_TLSv1_2 0x08000000L #define SSL_OP_NO_TLSv1_1 0x10000000L The result is that defining "SSL_OP_NO_TLSv1_1" instead disables support for TLS 1.2 (and vice-versa).
Comment 1 Konstantin Kolinko 2015-02-11 20:01:53 UTC
Java code of Tomcat Native is maintained in Tomcat proper. I am moving the bug there.
Comment 2 Mark Thomas 2015-02-11 20:38:12 UTC
Fixed in trunk and 8.0.x (for 8.0.19 onwards).
Comment 3 Christopher Schultz 2015-02-12 04:58:58 UTC
(In reply to Jeff Pinner from comment #0) > Bug 53952 added support for TLS 1.1 and TLS 1.2 and added the following > constants (from jni/java/org/apache/tomcat/jni/SSL.java) > > public static final int SSL_OP_NO_TLSv1_1 = 0x08000000; > public static final int SSL_OP_NO_TLSv1_2 = 0x10000000; For the record, these constants were added in r1632577 which slightly pre-dates the commits directly-related to bug #53952. Also note that these constants were never back-ported to Tomcat 7.