You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2016/03/20 11:44:21 UTC
svn commit: r1735861 - in /tomcat/native/trunk: native/src/sslcontext.c
xdocs/miscellaneous/changelog.xml
Author: rjung
Date: Sun Mar 20 10:44:21 2016
New Revision: 1735861
URL: http://svn.apache.org/viewvc?rev=1735861&view=rev
Log:
Use new OpenSSL 1.1.0 protocol version max and
min API when creating a new SSL context.
Modified:
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1735861&r1=1735860&r2=1735861&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Sun Mar 20 10:44:21 2016
@@ -139,6 +139,9 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
tcn_ssl_ctxt_t *c = NULL;
SSL_CTX *ctx = NULL;
jclass clazz;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ jint prot;
+#endif
UNREFERENCED(o);
if (protocol == SSL_PROTOCOL_NONE) {
@@ -146,6 +149,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
goto init_failed;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (protocol == SSL_PROTOCOL_TLSV1_2) {
#ifdef HAVE_TLSV1_2
if (mode == SSL_MODE_CLIENT)
@@ -189,13 +193,16 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
/* requested but not supported */
#endif
} else {
+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
if (mode == SSL_MODE_CLIENT)
ctx = SSL_CTX_new(TLS_client_method());
else if (mode == SSL_MODE_SERVER)
ctx = SSL_CTX_new(TLS_server_method());
else
ctx = SSL_CTX_new(TLS_method());
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
}
+#endif
if (!ctx) {
char err[256];
@@ -216,6 +223,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
if (c->bio_os != NULL)
BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
if (!(protocol & SSL_PROTOCOL_SSLV3))
@@ -230,6 +239,38 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
if (!(protocol & SSL_PROTOCOL_TLSV1_2))
SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2);
#endif
+
+#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+ /* We first determine the maximum protocol version we should provide */
+ if (protocol & SSL_PROTOCOL_TLSV1_2) {
+ prot = TLS1_2_VERSION;
+ } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
+ prot = TLS1_1_VERSION;
+ } else if (protocol & SSL_PROTOCOL_TLSV1) {
+ prot = TLS1_VERSION;
+ } else if (protocol & SSL_PROTOCOL_SSLV3) {
+ prot = SSL3_VERSION;
+ } else {
+ SSL_CTX_free(ctx);
+ tcn_Throw(e, "Invalid Server SSL Protocol (%d)", protocol);
+ goto init_failed;
+ }
+ SSL_CTX_set_max_proto_version(ctx, prot);
+
+ /* Next we scan for the minimal protocol version we should provide,
+ * but we do not allow holes between max and min */
+ if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
+ prot = TLS1_1_VERSION;
+ }
+ if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
+ prot = TLS1_VERSION;
+ }
+ if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
+ prot = SSL3_VERSION;
+ }
+ SSL_CTX_set_min_proto_version(ctx, prot);
+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+
/*
* Configure additional context ingredients
*/
Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1735861&r1=1735860&r2=1735861&view=diff
==============================================================================
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Sun Mar 20 10:44:21 2016
@@ -37,6 +37,10 @@
<section name="Changes in 1.2.6">
<changelog>
<update>
+ Use new OpenSSL 1.1.0 protocol version max and min API
+ when creating a new SSL context. (rjung)
+ </update>
+ <update>
Improve renegotiation code and make it compatible with
OpenSSL 1.1.0. (rjung)
</update>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org