You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/06/26 20:38:29 UTC
[tomcat] branch 8.5.x updated (84992eb -> 513e54c)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 84992eb Remove unused image files
new 8dcaf35 Fix typo in key. Remove unused keys. Add additional translations.
new f536788 Add additional langauges from 9.0.x
new 1dfae89 Remove unused message key
new 3cb5b83 Add additional languages from 9.0.x
new 4b3c6fd Fix URL in comment
new 7ba68fb Back-port clean-up
new fa08789 PEM files are ASCII encoded. Ensure they are read as ASCII.
new bfc8b58 Avoid possible hang with TLS 1.0 + NIO/NIO2 + OpenSSL 1.1.1 or later
new 760505c Don't use deprecated version of method.
new 513e54c Obtain PEM files via ConfigFileLoader
The 10 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../apache/tomcat/util/net/AbstractEndpoint.java | 2 +-
.../apache/tomcat/util/net/jsse/JSSESupport.java | 2 +-
.../tomcat/util/net/jsse/LocalStrings.properties | 8 +--
.../util/net/jsse/LocalStrings_es.properties | 7 +++
.../util/net/jsse/LocalStrings_fr.properties | 23 +++++++-
.../util/net/jsse/LocalStrings_ja.properties | 21 +++++++
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 11 +++-
.../util/net/openssl/LocalStrings.properties | 1 -
.../util/net/openssl}/LocalStrings_es.properties | 14 +++--
.../util/net/openssl/LocalStrings_fr.properties | 65 ++++++++++++++++++++++
.../util/net/openssl/LocalStrings_ja.properties | 64 +++++++++++++++++++++
.../tomcat/util/net/openssl/OpenSSLContext.java | 2 +-
.../tomcat/util/net/openssl/OpenSSLEngine.java | 21 ++++++-
.../openssl/ciphers}/LocalStrings_fr.properties | 2 +-
.../ciphers}/LocalStrings_ja.properties | 3 +-
webapps/docs/changelog.xml | 9 +++
16 files changed, 230 insertions(+), 25 deletions(-)
copy java/{javax/servlet => org/apache/tomcat/util/net/openssl}/LocalStrings_es.properties (58%)
create mode 100644 java/org/apache/tomcat/util/net/openssl/LocalStrings_fr.properties
create mode 100644 java/org/apache/tomcat/util/net/openssl/LocalStrings_ja.properties
copy java/org/apache/{catalina/filters => tomcat/util/net/openssl/ciphers}/LocalStrings_fr.properties (91%)
copy java/org/apache/tomcat/util/net/{ => openssl/ciphers}/LocalStrings_ja.properties (92%)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 09/10: Don't use deprecated version of method.
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 760505cabb77e910ec5c46da503bc72bd3021976
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:32:51 2019 +0100
Don't use deprecated version of method.
---
java/org/apache/tomcat/util/net/AbstractEndpoint.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 2bc782e..81c0ad8 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -565,7 +565,7 @@ public abstract class AbstractEndpoint<S> {
private Integer keepAliveTimeout = null;
public int getKeepAliveTimeout() {
if (keepAliveTimeout == null) {
- return getSoTimeout();
+ return getConnectionTimeout();
} else {
return keepAliveTimeout.intValue();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/10: Add additional langauges from 9.0.x
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit f53678876a7eebaa3299615e95891a4d5debd7df
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:08:07 2019 +0100
Add additional langauges from 9.0.x
---
.../util/net/openssl/ciphers/LocalStrings_fr.properties | 16 ++++++++++++++++
.../util/net/openssl/ciphers/LocalStrings_ja.properties | 16 ++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/LocalStrings_fr.properties b/java/org/apache/tomcat/util/net/openssl/ciphers/LocalStrings_fr.properties
new file mode 100644
index 0000000..feab3b8
--- /dev/null
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/LocalStrings_fr.properties
@@ -0,0 +1,16 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+converter.mapping=Association de la suite de chiffres: [{0}] => [{1}]
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/LocalStrings_ja.properties b/java/org/apache/tomcat/util/net/openssl/ciphers/LocalStrings_ja.properties
new file mode 100644
index 0000000..25e23e8
--- /dev/null
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/LocalStrings_ja.properties
@@ -0,0 +1,16 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+converter.mapping=暗号スイートの対応付け: [{0}] => [{1}]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 10/10: Obtain PEM files via ConfigFileLoader
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 513e54c90b86e37c394b5d81aa85f06773b2f763
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:38:03 2019 +0100
Obtain PEM files via ConfigFileLoader
This handles relative paths as well as additional options such as URIs
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index e9df5f6..ee09cb2 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -18,7 +18,6 @@ package org.apache.tomcat.util.net.jsse;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
-import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
@@ -43,6 +42,7 @@ import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.tomcat.util.codec.binary.Base64;
+import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -74,7 +74,7 @@ public class PEMFile {
this.filename = filename;
List<Part> parts = new ArrayList<>();
- try (InputStream inputStream = new FileInputStream(filename)) {
+ try (InputStream inputStream = ConfigFileLoader.getInputStream(filename)) {
BufferedReader reader =
new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.US_ASCII));
Part part = null;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/10: Fix typo in key. Remove unused keys. Add additional
translations.
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 8dcaf35a9eb316a7a33cfed93e44ec1425fdf044
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:01:16 2019 +0100
Fix typo in key. Remove unused keys. Add additional translations.
---
.../apache/tomcat/util/net/jsse/JSSESupport.java | 2 +-
.../tomcat/util/net/jsse/LocalStrings.properties | 8 +-------
.../util/net/jsse/LocalStrings_es.properties | 7 +++++++
.../util/net/jsse/LocalStrings_fr.properties | 23 +++++++++++++++++++++-
.../util/net/jsse/LocalStrings_ja.properties | 21 ++++++++++++++++++++
5 files changed, 52 insertions(+), 9 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESupport.java b/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
index bc84721..0bdc7f2 100644
--- a/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
+++ b/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
@@ -118,7 +118,7 @@ public class JSSESupport implements SSLSupport, SSLSessionManager {
cf.generateCertificate(stream);
} catch(Exception ex) {
log.info(sm.getString(
- "jseeSupport.certTranslationError", certs[i]), ex);
+ "jsseSupport.certTranslationError", certs[i]), ex);
return null;
}
}
diff --git a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
index faf7437..931410a 100644
--- a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
@@ -13,8 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-jseeSupport.certTranslationError=Error translating certificate [{0}]
-
jsse.alias_no_key_entry=Alias name [{0}] does not identify a key entry
jsse.enableable_ciphers=Specified SSL ciphers that are supported and enableable are : [{0}]
jsse.exceptionOnClose=Failure to close socket.
@@ -28,13 +26,9 @@ jsse.noKeys=No aliases for private keys found in key store
jsse.openssl.effectiveCiphers=Ciphers used: [{0}]
jsse.openssl.unknownElement=Unknown element in cipher string: [{0}]
jsse.pemParseError=Unable to parse the key from [{0}]
-jsse.requested_ciphers_not_supported=None of the ciphers specified are supported by the SSL engine : [{0}]
-jsse.unsupported_ciphers=Some specified SSL ciphers are not supported by the SSL engine : [{0}]
+jsseSupport.certTranslationError=Error translating certificate [{0}]
jsseSupport.clientCertError=Error trying to obtain a certificate from the client
-jsseSupport.noCertWant=No client certificate sent for want
-jsseSupport.serverRenegDisabled=SSL server initiated renegotiation is disabled, closing connection
-jsseSupport.unexpectedData=Unexpected data read from input stream
jsseUtil.invalidTrustCert=The certificate for [{0}] in the trust store is not valid and has, therefore, been excluded in the list of certificates sent to the client
jsseUtil.noCrlSupport=The truststoreProvider [{0}] does not support the certificateRevocationFile configuration option
diff --git a/java/org/apache/tomcat/util/net/jsse/LocalStrings_es.properties b/java/org/apache/tomcat/util/net/jsse/LocalStrings_es.properties
index 4f4c96f..f4ac9af 100644
--- a/java/org/apache/tomcat/util/net/jsse/LocalStrings_es.properties
+++ b/java/org/apache/tomcat/util/net/jsse/LocalStrings_es.properties
@@ -16,3 +16,10 @@
jsse.alias_no_key_entry=El nombre de Alias [{0}] no identifica una entrada de clave
jsse.invalidTrustManagerClassName=El trustManagerClassName suministrado [{0}] no implementa javax.net.ssl.TrustManager
jsse.invalid_ssl_conf=La configuración SSL no es válida debido a [{0}]
+jsse.noDefaultCiphers=Incapáz de determinar un varlor por defecto para los cifrados de [{0}]. Fije un valor explicito para asegurar que el conector pueda iniciar.
+jsse.openssl.effectiveCiphers=Cifradores usados: [{0}]
+jsse.pemParseError=Imposible parsear la clave desde [{0}]
+
+jsseSupport.clientCertError=Error tratando de obtener un certificado desde el cliente
+
+jsseUtil.trustedCertNotValid=El certificado confiable con alias [{0}] y DN [{1}] no es válido debido a [{2}]. Los certificados firmados por este certificados confiable SERAN aceptados\n
diff --git a/java/org/apache/tomcat/util/net/jsse/LocalStrings_fr.properties b/java/org/apache/tomcat/util/net/jsse/LocalStrings_fr.properties
index 19794bb..14ce0ce 100644
--- a/java/org/apache/tomcat/util/net/jsse/LocalStrings_fr.properties
+++ b/java/org/apache/tomcat/util/net/jsse/LocalStrings_fr.properties
@@ -13,4 +13,25 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-jsse.alias_no_key_entry=Le nom alias [{0}] n''identifie pas une entrée de clef
+jsse.alias_no_key_entry=Le nom alias [{0}] n''identifie pas une entrée de clé
+jsse.enableable_ciphers=Les chiffres SSL spécifiés qui sont supportés et activables sont: [{0}]
+jsse.exceptionOnClose=Echec de fermeture du socket
+jsse.excludeProtocol=Le protocole SSL [{0}] qui est supporté par ce JRE a été exclu des protocoles disponibles dans Tomcat
+jsse.invalidTrustManagerClassName=Le trustManagerClassName fourni [{0}] n''implémente pas javax.net.ssl.TrustManager
+jsse.invalid_ssl_conf=La configuration SSL est invalide, dû à [{0}]
+jsse.noCertFile=L'attribut certificateFile de SSLHostConfig doit être défini lorsqu'un connecteur SSL est utilisé
+jsse.noDefaultCiphers=Impossible de déterminer un défaut pour le mode de chiffrement de [{0}], indiquez une valeur explicite pour permettre le démarrage du connecteur
+jsse.noDefaultProtocols=Impossible de déterminer un défaut pour sslEnabledProtocols de [{0}], indiquez une valeur explicite pour permettre le démarrage du connecteur
+jsse.noKeys=Aucun alias pour les clés privées n'a été trouvé dans la base de clés
+jsse.openssl.effectiveCiphers=Chiffres utilisés: [{0}]
+jsse.openssl.unknownElement=Elément inconnu dans la chaîne de chiffres: [{0}]
+jsse.pemParseError=Impossible de parser la clé de [{0}]
+
+jsseSupport.certTranslationError=Erreur lors de la traduction du certificat [{0}]
+jsseSupport.clientCertError=Echec de l'obtention d'un certificat de la part du client
+
+jsseUtil.invalidTrustCert=Le certificat pour [{0}] dans la base de confiance n''est pas valide et est donc exclu de la liste des certificats envoyés au client
+jsseUtil.noCrlSupport=Le truststoreProvider [{0}] ne supporte pas d''option de configuration certificateRevocationFile
+jsseUtil.noVerificationDepth=Le truststoreProvider [{0}] ne supporte pas l''option de configuration certificateVerificationDepth
+jsseUtil.trustedCertNotChecked=Les dates de validité du certificat de confiance dont l''alias est [{0}] n''ont pas été vérifiées car sont type est inconnu
+jsseUtil.trustedCertNotValid=Le certificat de confiance avec l''alias [{0}] et le DN [{1}] n''est pas valide à cause de [{2}], les certificats signés par ce certificat de confiance SERONT acceptés
diff --git a/java/org/apache/tomcat/util/net/jsse/LocalStrings_ja.properties b/java/org/apache/tomcat/util/net/jsse/LocalStrings_ja.properties
index 27a5eee..00f2d36 100644
--- a/java/org/apache/tomcat/util/net/jsse/LocalStrings_ja.properties
+++ b/java/org/apache/tomcat/util/net/jsse/LocalStrings_ja.properties
@@ -14,3 +14,24 @@
# limitations under the License.
jsse.alias_no_key_entry=別名 [{0}] はキーエントリを発見できません
+jsse.enableable_ciphers=サポートされ、有効になっている指定されたSSL暗号は次のとおりです。[{0}]
+jsse.exceptionOnClose=ソケットを切断できません。
+jsse.excludeProtocol=JRE は SSL プロトコル [{0}] に対応しています。しかし Tomcat の利用可能プロトコルからは除外されています。
+jsse.invalidTrustManagerClassName=[{0}]が提供するtrustManagerClassNameはjavax.net.ssl.TrustManagerを実装していません。
+jsse.invalid_ssl_conf=[{0}]のためSSL設定が無効です。
+jsse.noCertFile=SSLコネクタを使用する場合は、SSLHostConfigのcertificateFile属性を定義する必要があります。
+jsse.noDefaultCiphers=[{0}]の暗号のデフォルトを判別できません。 コネクターを開始できるように、明示的な値を設定してください。
+jsse.noDefaultProtocols=sslEnableProtocols の初期値を取得できません。コネクターを開始できるよう明示的に値を設定してください。
+jsse.noKeys=キーストアで見つかった秘密キーのエイリアスがありません。
+jsse.openssl.effectiveCiphers=使用された暗号:[{0}]
+jsse.openssl.unknownElement=暗号文字列の不明な要素:[{0}]
+jsse.pemParseError=秘密鍵ファイル [{0}] を解析できませんでした。
+
+jsseSupport.certTranslationError=証明書の翻訳中にエラーが発生しました[{0}]
+jsseSupport.clientCertError=クライアントから証明書を取得できません。
+
+jsseUtil.invalidTrustCert=トラストストアに登録された証明書 [{0}] は妥当ではありません。クライアントに送信する証明書から除外します。
+jsseUtil.noCrlSupport=トラストストアプロバイダー [{0}] は設定項目 certificateRevocationFile に対応していません。
+jsseUtil.noVerificationDepth=トラストストアプロバイダー [{0}] は設定項目 certificateVerificationDepth に未対応です。
+jsseUtil.trustedCertNotChecked=エイリアス[{0}]を持つ信頼できる証明書の有効期限は、証明書が不明な型であるためチェックされませんでした。
+jsseUtil.trustedCertNotValid=エイリアス[{0}]とDN [{1}]を持つ信頼できる証明書が[{2}]のために無効です。 この信頼できる証明書で署名された証明書が受け入れられるでしょう
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 05/10: Fix URL in comment
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 4b3c6fdcb93fe019549525a66bfb9d0b39bd65a0
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:08:54 2019 +0100
Fix URL in comment
---
java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 241a35d..82d5862 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -632,7 +632,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
throws SSLException {
// NOTE: Calling a fake read is necessary before calling pendingReadableBytesInSSL because
// SSL_pending will return 0 if OpenSSL has not started the current TLS record
- // See https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html
+ // See https://www.openssl.org/docs/manmaster/man3/SSL_pending.html
clearLastError();
int lastPrimingReadResult = SSL.readFromSSL(ssl, EMPTY_ADDR, 0); // priming read
// check if SSL_read returned <= 0. In this case we need to check the error and see if it was something
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/10: Remove unused message key
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1dfae8961dd4b29bb36c377a6e056ce3c0cc4fb9
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:08:27 2019 +0100
Remove unused message key
---
java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 -
1 file changed, 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 7d6dfb3..1dca2b5 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -41,7 +41,6 @@ keyManager.nullPrivateKey=Null private key
openssl.X509FactoryError=Error getting X509 factory instance
openssl.addedClientCaCert=Added client CA cert: [{0}]
openssl.applyConf=Applying OpenSSLConfCmd to SSL context
-openssl.assignConf=Assigning SSL context to OpenSSLConfCmd context
openssl.certificateVerificationFailed=Certificate verification failed
openssl.checkConf=Checking OpenSSLConf
openssl.doubleInit=SSL context already initialized, ignoring
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 08/10: Avoid possible hang with TLS 1.0 + NIO/NIO2 +
OpenSSL 1.1.1 or later
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit bfc8b58645de2fa69819e90dd096f854e6a6929b
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:27:31 2019 +0100
Avoid possible hang with TLS 1.0 + NIO/NIO2 + OpenSSL 1.1.1 or later
---
.../apache/tomcat/util/net/openssl/OpenSSLEngine.java | 19 ++++++++++++++++++-
webapps/docs/changelog.xml | 9 +++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 82d5862..e775168 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -145,6 +145,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
// Use an invalid cipherSuite until the handshake is completed
// See http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html#getSession()
+ private volatile String version;
private volatile String cipher;
private volatile String applicationProtocol;
@@ -640,7 +641,22 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
if (lastPrimingReadResult <= 0) {
checkLastError();
}
- return SSL.pendingReadableBytesInSSL(ssl);
+ int pendingReadableBytesInSSL = SSL.pendingReadableBytesInSSL(ssl);
+
+ // TLS 1.0 needs additional handling
+ // TODO Figure out why this is necessary and if a simpler / better
+ // solution is available
+ if (Constants.SSL_PROTO_TLSv1.equals(version) && lastPrimingReadResult == 0 &&
+ pendingReadableBytesInSSL == 0) {
+ // Perform another priming read
+ lastPrimingReadResult = SSL.readFromSSL(ssl, EMPTY_ADDR, 0);
+ if (lastPrimingReadResult <= 0) {
+ checkLastError();
+ }
+ pendingReadableBytesInSSL = SSL.pendingReadableBytesInSSL(ssl);
+ }
+
+ return pendingReadableBytesInSSL;
}
@Override
@@ -1027,6 +1043,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
}
}
session.lastAccessedTime = System.currentTimeMillis();
+ version = SSL.getVersion(ssl);
handshakeFinished = true;
return SSLEngineResult.HandshakeStatus.FINISHED;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6266e79..fedb79c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -82,6 +82,15 @@
</add>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat
+ HTTPS connector configured to use NIO or NIO with OpenSSL 1.1.1 or
+ later. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Jasper">
<changelog>
<add>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 06/10: Back-port clean-up
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 7ba68fbd9d2dda40f5c455341953cd9490d35b33
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:09:03 2019 +0100
Back-port clean-up
---
java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 61fd8b4..5cf17be 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -304,7 +304,7 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext {
}
if (negotiableProtocols != null && negotiableProtocols.size() > 0) {
- ArrayList<String> protocols = new ArrayList<>();
+ List<String> protocols = new ArrayList<>();
protocols.addAll(negotiableProtocols);
protocols.add("http/1.1");
String[] protocolsArray = protocols.toArray(new String[0]);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 07/10: PEM files are ASCII encoded. Ensure they are read
as ASCII.
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit fa08789a693ead10a5f449cd8af07d1e5f20250f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:22:42 2019 +0100
PEM files are ASCII encoded. Ensure they are read as ASCII.
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index f96ed6a..e9df5f6 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -18,8 +18,11 @@ package org.apache.tomcat.util.net.jsse;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
-import java.io.FileReader;
+import java.io.FileInputStream;
import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
@@ -71,10 +74,12 @@ public class PEMFile {
this.filename = filename;
List<Part> parts = new ArrayList<>();
- try (BufferedReader in = new BufferedReader(new FileReader(filename))) {
+ try (InputStream inputStream = new FileInputStream(filename)) {
+ BufferedReader reader =
+ new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.US_ASCII));
Part part = null;
String line;
- while ((line = in.readLine()) != null) {
+ while ((line = reader.readLine()) != null) {
if (line.startsWith(Part.BEGIN_BOUNDARY)) {
part = new Part();
part.type = line.substring(Part.BEGIN_BOUNDARY.length(), line.length() - 5).trim();
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 04/10: Add additional languages from 9.0.x
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 3cb5b835c6e55900b1686bdf6f065791fffec9d4
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:08:41 2019 +0100
Add additional languages from 9.0.x
---
.../util/net/openssl/LocalStrings_es.properties | 27 +++++++++
.../util/net/openssl/LocalStrings_fr.properties | 65 ++++++++++++++++++++++
.../util/net/openssl/LocalStrings_ja.properties | 64 +++++++++++++++++++++
3 files changed, 156 insertions(+)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings_es.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings_es.properties
new file mode 100644
index 0000000..ee9f792
--- /dev/null
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings_es.properties
@@ -0,0 +1,27 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+engine.emptyCipherSuite=Suite de cifrado vacía
+engine.engineClosed=El notor esta cerrado
+engine.noSession=El identificador de la sesión SSL no está disponible
+engine.openSSLError=Error de OpenSSL: [{0}] mensage: [{1}]\n
+engine.writeToSSLFailed=Fallo al escribir hacia SSL, resultado: [{0}]
+
+keyManager.nullCertificateChain=Cadena de certificado nulo
+
+openssl.addedClientCaCert=Ceritifcado CA de cliente adicionado: [{0}]
+openssl.trustManagerMissing=No se encontró un manejador confiable
+
+opensslconf.checkFailed=Fallo mientras se chequeaba OpenSSLConf\n
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings_fr.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings_fr.properties
new file mode 100644
index 0000000..b9238be
--- /dev/null
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings_fr.properties
@@ -0,0 +1,65 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+engine.ciphersFailure=Echec en essayant d'obtenir la liste des chiffres
+engine.emptyCipherSuite=La suite de chiffrement (cipher suite) est vide
+engine.engineClosed=Le moteur a déjà été fermé
+engine.failedCipherSuite=Impossible d''activer la suite de chiffres [{0}]
+engine.handshakeFailure=Echec de négociation: [{0}]
+engine.inboundClose=L'entrée a été fermée avant d'avoir reçu le close_notify du pair
+engine.invalidBufferArray=offset: [{0}], length: [{1}] (attendu: offset <= offset + length <= srcs.length [{2}])
+engine.noSSLContext=Pas de contexte SSL
+engine.noSession=Identificateur de session SSL non disponible
+engine.nullBuffer=Tampon null
+engine.nullBufferInArray=Tampon null dans le tableau
+engine.nullCipherSuite=Suite de chiffres nulle
+engine.nullName=La valeur du nom est null
+engine.nullValue=La valeur est null
+engine.openSSLError=Erreur OpenSSL : [{0}] message : [{1}]
+engine.oversizedPacket=Le paquet crypté est trop gros
+engine.renegotiationUnsupported=La renégociation n'est pas supportée
+engine.unsupportedCipher=Suite de chiffres non supportée: [{0}] [{1}]
+engine.unsupportedProtocol=Le protocole [{0}] n''est pas supporté
+engine.unverifiedPeer=Le pair n'est pas vérifié
+engine.writeToSSLFailed=Echec d''écriture vers SSL, code de retour: [{0}]
+
+keyManager.nullCertificateChain=La chaîne de certificats est nulle
+keyManager.nullPrivateKey=La clé privée est null
+
+openssl.X509FactoryError=Impossible d'obtenir l'instance de la fabrique X509
+openssl.addedClientCaCert=Ajout du certificat CA du client: [{0}]
+openssl.applyConf=Application de OpenSSLConfCmd au contexte SSL
+openssl.certificateVerificationFailed=La vérification du certificat a échoué
+openssl.checkConf=Vérification de OpenSSLConf en cours
+openssl.doubleInit=Le contexte SSL a déjà été initialisé, ignoré
+openssl.errApplyConf=Impossible d'appliquer la OpenSSLConf au contexte SSL
+openssl.errCheckConf=Erreur pendant la vérification de OpenSSLConf
+openssl.errMakeConf=Impossible de créer le contexte de OpenSSLConf
+openssl.errorSSLCtxInit=Erreur d'initialisation du contexte SSL
+openssl.keyManagerMissing=Aucun gestionnaire de clés trouvé
+openssl.makeConf=Création du contexte de OpenSSLConf
+openssl.nonJsseCertficate=Le certificat [{0}] ou sa clé privée [{1}] n''a pas pu être traité en utilisant un gestionnaire de clé de JSSE, et sera directement passée à OpenSSL
+openssl.trustManagerMissing=Gestionnaire de confiance non trouvé
+
+opensslconf.applyCommand=Application de la commande OpenSSLConf (nom [{0}] valeur [{1}])
+opensslconf.applyFailed=Erreur en appliquant OpenSSLConf au contexte SSL
+opensslconf.checkCommand=Vérification de la commande OpenSSLConf (nom [{0}] valeur [{1}])
+opensslconf.checkFailed=Echec de la vérification de OpenSSLConf
+opensslconf.failedCommand=La commande OpenSSLConf (nom [{0}] valeur [{1}]) a échoué avec le résultat [{2}] qui sera ignoré
+opensslconf.finishFailed=OpenSSLConf s''est terminé en échec avec le résultat [{0}]
+opensslconf.noCommandName=Pas de nom de commande OpenSSLConf (valeur [{0}]), cela sera ignoré
+opensslconf.resultCommand=La commande OpenSSLConf (nom [{0}] valeur [{1}]) a retourné [{2}]
+
+sessionContext.nullTicketKeys=Clés nulles
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings_ja.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings_ja.properties
new file mode 100644
index 0000000..e61d134
--- /dev/null
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings_ja.properties
@@ -0,0 +1,64 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+engine.ciphersFailure=暗号リストを取得できません。
+engine.emptyCipherSuite=暗号スイートがありません。
+engine.engineClosed=エンジンが閉じられています
+engine.failedCipherSuite=暗号スイート[{0}]を有効にできませんでした。
+engine.handshakeFailure=ハンドシェイクに失敗しました: [{0}]
+engine.inboundClose=ピアのclose_notifyを受信する前のインバウンドクローズ
+engine.invalidBufferArray=オフセット: [{0}], 長さ: [{1}] (期待値: offset <= offset + length <= srcs.length [{2}])
+engine.noSSLContext=SSLコンテキストがありません
+engine.noSession=SSLセッションIDが利用可能ではありません
+engine.nullBuffer=Null バッファ
+engine.nullBufferInArray=配列内のNull バッファ
+engine.nullCipherSuite=Null 暗号スイート
+engine.nullName=Null値名
+engine.nullValue=Null値
+engine.openSSLError=OpenSSLエラー:[{0}] メッセージ:[{1}]
+engine.oversizedPacket=暗号化パケットのサイズが超過しています。
+engine.renegotiationUnsupported=再ネゴシエーションには対応していません。
+engine.unsupportedCipher=サポートされていない暗号スイート:[{0}] [{1}]
+engine.unsupportedProtocol=プロトコル [{0}] には対応していません。
+engine.unverifiedPeer=未確認のピア
+engine.writeToSSLFailed=SSLへの書き込みに失敗しました。返却値:[{0}]
+
+keyManager.nullCertificateChain=Nullの証明書チェーン
+keyManager.nullPrivateKey=Null 秘密鍵
+
+openssl.X509FactoryError=X509ファクトリインスタンスの取得エラー
+openssl.addedClientCaCert=クライアント CA 証明書を登録しました: [{0}]
+openssl.applyConf=OpenSSLConfCmdをSSLコンテキストに適用します。
+openssl.certificateVerificationFailed=証明書確認に失敗しました
+openssl.checkConf=OpenSSLConfの確認
+openssl.doubleInit=SSLコンテキストが既に初期化されています。無視します。
+openssl.errApplyConf=OpenSSLConfをSSLコンテキストに適用できませんでした。
+openssl.errCheckConf=OpenSSLConfチェック中のエラー
+openssl.errMakeConf=OpenSSLConfコンテキストを作成できませんでした。
+openssl.errorSSLCtxInit=SSL コンテキストの初期化中にエラーが発生しました。
+openssl.keyManagerMissing=キーマネージャーが見つかりません。
+openssl.makeConf=OpenSSLConfコンテキストの作成
+openssl.trustManagerMissing=トラストマネージャが見つかりません
+
+opensslconf.applyCommand=OpenSSLConfはコマンド(名前[{0}]、値[{1}])を適用しています。
+opensslconf.applyFailed=OpenSSLConfをSSLコンテキストに適用する際の失敗
+opensslconf.checkCommand=OpenSSLConfチェックコマンド(名前[{0}]、値[{1}])
+opensslconf.checkFailed=OpenSSLConf のチェックが失敗しました。
+opensslconf.failedCommand=結果[{2}]でOpenSSLConfがコマンド(名前[{0}]、値[{1}])に失敗しました。無視されます。
+opensslconf.finishFailed=結果[{0}]でOpenSSLConfのfinish処理が失敗しました
+opensslconf.noCommandName=OpenSSLConfコマンド名なし - 無視されます(コマンド値[{0}])
+opensslconf.resultCommand=OpenSSLConfコマンド(名前[{0}]、値[{1}])が[{2}]を返しました。
+
+sessionContext.nullTicketKeys=Null キー
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org