You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/05/31 20:02:50 UTC
[tomcat] branch main updated: Tomcat Native 2.x onwards will require SSL
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new e60f080415 Tomcat Native 2.x onwards will require SSL
e60f080415 is described below
commit e60f0804154a1434ef523d1db2b51c23e094ec40
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 31 21:02:33 2022 +0100
Tomcat Native 2.x onwards will require SSL
---
java/org/apache/catalina/core/AprLifecycleListener.java | 11 +++++++++++
java/org/apache/catalina/core/LocalStrings.properties | 1 +
webapps/docs/config/listeners.xml | 3 +++
3 files changed, 15 insertions(+)
diff --git a/java/org/apache/catalina/core/AprLifecycleListener.java b/java/org/apache/catalina/core/AprLifecycleListener.java
index 839343b7bc..6d2ef5df21 100644
--- a/java/org/apache/catalina/core/AprLifecycleListener.java
+++ b/java/org/apache/catalina/core/AprLifecycleListener.java
@@ -221,6 +221,17 @@ public class AprLifecycleListener implements LifecycleListener {
log.warn(sm.getString("aprListener.aprInitError", t.getMessage()), t);
return;
}
+ if (major > 1 && "off".equalsIgnoreCase(SSLEngine)) {
+ log.error(sm.getString("aprListener.sslRequired", SSLEngine, Library.versionString()));
+ try {
+ // Tomcat Native 2.x onwards requires SSL
+ terminateAPR();
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ }
+ return;
+ }
if (apver < rqver) {
log.error(sm.getString("aprListener.tcnInvalid",
Library.versionString(),
diff --git a/java/org/apache/catalina/core/LocalStrings.properties b/java/org/apache/catalina/core/LocalStrings.properties
index e0ae670445..3b67c1fffd 100644
--- a/java/org/apache/catalina/core/LocalStrings.properties
+++ b/java/org/apache/catalina/core/LocalStrings.properties
@@ -81,6 +81,7 @@ aprListener.initializingFIPS=Initializing FIPS mode...
aprListener.requireNotInFIPSMode=AprLifecycleListener is configured to require the library to already be in FIPS mode, but it was not in FIPS mode
aprListener.skipFIPSInitialization=Already in FIPS mode; skipping FIPS initialization.
aprListener.sslInit=Failed to initialize the SSLEngine.
+aprListener.sslRequired=[{0}] is not a valid value for SSLEngine when using version [{1}] of the Tomcat Native library since SSL is required for version 2.x onwards.
aprListener.tcnInvalid=An incompatible version [{0}] of the Apache Tomcat Native library is installed, while Tomcat requires version [{1}]
aprListener.tcnValid=Loaded Apache Tomcat Native library [{0}] using APR version [{1}].
aprListener.tcnVersion=An older version [{0}] of the Apache Tomcat Native library is installed, while Tomcat recommends a minimum version of [{1}]
diff --git a/webapps/docs/config/listeners.xml b/webapps/docs/config/listeners.xml
index 1638dfc175..be2b87aac1 100644
--- a/webapps/docs/config/listeners.xml
+++ b/webapps/docs/config/listeners.xml
@@ -103,6 +103,9 @@
<p>See the <a href="http://www.openssl.org/">Official OpenSSL website</a>
for more details on supported SSL hardware engines and manufacturers.
</p>
+ <p>Tomcat Native 2.x onwards requires SSL so if SSLEngine is set to
+ <code>off</code> when using Tomcat Native 2.x onwards, the APR/native
+ library will be disabled.</p>
</attribute>
<attribute name="SSLRandomSeed" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org