You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2016/03/20 11:44:21 UTC
svn commit: r1735861 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml

Author: rjung
Date: Sun Mar 20 10:44:21 2016
New Revision: 1735861

URL: http://svn.apache.org/viewvc?rev=1735861&view=rev
Log:
Use new OpenSSL 1.1.0 protocol version max and 
min API when creating a new SSL context.

Modified:
    tomcat/native/trunk/native/src/sslcontext.c
    tomcat/native/trunk/xdocs/miscellaneous/changelog.xml

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1735861&r1=1735860&r2=1735861&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Sun Mar 20 10:44:21 2016
@@ -139,6 +139,9 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
     tcn_ssl_ctxt_t *c = NULL;
     SSL_CTX *ctx = NULL;
     jclass clazz;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    jint prot;
+#endif
 
     UNREFERENCED(o);
     if (protocol == SSL_PROTOCOL_NONE) {
@@ -146,6 +149,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
         goto init_failed;
     }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     if (protocol == SSL_PROTOCOL_TLSV1_2) {
 #ifdef HAVE_TLSV1_2
         if (mode == SSL_MODE_CLIENT)
@@ -189,13 +193,16 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
         /* requested but not supported */
 #endif
     } else {
+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
         if (mode == SSL_MODE_CLIENT)
                 ctx = SSL_CTX_new(TLS_client_method());
         else if (mode == SSL_MODE_SERVER)
                 ctx = SSL_CTX_new(TLS_server_method());
         else
                 ctx = SSL_CTX_new(TLS_method());
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     }
+#endif
 
     if (!ctx) {
         char err[256];
@@ -216,6 +223,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
     if (c->bio_os != NULL)
         BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
     SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     /* always disable SSLv2, as per RFC 6176 */
     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
     if (!(protocol & SSL_PROTOCOL_SSLV3))
@@ -230,6 +239,38 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
     if (!(protocol & SSL_PROTOCOL_TLSV1_2))
         SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2);
 #endif
+
+#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+    /* We first determine the maximum protocol version we should provide */
+    if (protocol & SSL_PROTOCOL_TLSV1_2) {
+        prot = TLS1_2_VERSION;
+    } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
+        prot = TLS1_1_VERSION;
+    } else if (protocol & SSL_PROTOCOL_TLSV1) {
+        prot = TLS1_VERSION;
+    } else if (protocol & SSL_PROTOCOL_SSLV3) {
+        prot = SSL3_VERSION;
+    } else {
+        SSL_CTX_free(ctx);
+        tcn_Throw(e, "Invalid Server SSL Protocol (%d)", protocol);
+        goto init_failed;
+    }
+    SSL_CTX_set_max_proto_version(ctx, prot);
+
+    /* Next we scan for the minimal protocol version we should provide,
+     * but we do not allow holes between max and min */
+    if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
+        prot = TLS1_1_VERSION;
+    }
+    if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
+        prot = TLS1_VERSION;
+    }
+    if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
+        prot = SSL3_VERSION;
+    }
+    SSL_CTX_set_min_proto_version(ctx, prot);
+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+
     /*
      * Configure additional context ingredients
      */

Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1735861&r1=1735860&r2=1735861&view=diff
==============================================================================
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Sun Mar 20 10:44:21 2016
@@ -37,6 +37,10 @@
 <section name="Changes in 1.2.6">
   <changelog>
     <update>
+      Use new OpenSSL 1.1.0 protocol version max and min API
+      when creating a new SSL context. (rjung)
+    </update>
+    <update>
       Improve renegotiation code and make it compatible with
       OpenSSL 1.1.0. (rjung)
     </update>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org